a router as NAS

Si St sigbj-st at operamail.com
Sun Jul 15 18:49:18 CEST 2012


(I think I messed up the previous posting by returning on a previous by
Winter answered post. This message is found in the end of that post. I
am sorry. Hope this one comes in with the new subject.)
Can I connect to radius via a router that has a guestzone? It simply
means that the router has an extra guestzone interface that also
contains choice for PSK or EAP

>From the following information I wonder why the radiusd is not
responding.Remember I am trying to log in with the radius from the PC
where the radius is installed. Radius is on 192.168.0.198 and I am
attempting login or request from 192.168.0.198. This may also be a
mistake. Maybe there will be a conflict betw 192.168.0.1 = router and
192.168.0.198 localhost. I simply dont know.

The router is a DLINK 655
The OS is SuSE Linux Enterprise Desktop 10, ServPack 3
The radius is the freeradiu-sserver-2.1.12

Here are the fields from this zone in the router:
**ROUTER PART**
"Use this section to configure the guest zone settings of your router.
The guest zone provide a separate network zone for guest to access
Internet":

--GUEST ZONE SELECTION--
Enable Guest Zone : (Yes)         
Wireless Band : 2.4GHz Band
Wireless Network Name : EAP_sled           (Also called the SSID)
Enable Routing Between Zones :  (No) 
Security Mode : WPA-Enterprise

--WPA--
WPA Mode : Auto (WPA or WPA2)    
Cipher Type : TKIP and AES       
Group Key Update Interval : 3600 (seconds)   

--EAP (802.1x)--

"When WPA enterprise is enabled, the router uses EAP (802.1x) to
authenticate clients via a remote RADIUS server."

Authentication Timeout : 60       (minutes)
RADIUS server IP Address : 192.168.0.198         
RADIUS server Port : 1812        
RADIUS server Shared Secret : testing123 
MAC Address Authentication : No
**CLIENT.CONF**
Then I change the client.conf from localhost 127.0.0.1 to the IP of the
router 192.168.0.1
#client localhost {
        #  Allowed values are:
        #       dotted quad (1.2.3.4)
        #       hostname    (radius.example.com)
#       ipaddr = 127.0.0.1
# Test with router:
client router {
        #  Allowed values are:
        #       dotted quad (1.2.3.4)
        #       hostname    (radius.example.com)
        ipaddr = 192.168.0.1
#
and I keep rest of it as it was.

**/ETC/HOSTS/**
I put in a line in /etc/hosts/ (I am not sure if it is right or
necessary:
# IP-Address  Full-Qualified-Hostname  Short-Hostname
192.168.0.1       router                    dlink

**YAST CONFIG FOR THE USERCLIENT**
I change the setup in system (YaST)from PKS key to EAP:
--MODUS--
Accesspoint: (Yes)
Ad hoc: no
Master: no
--NETWORKNAME SSID--
EAP_sled
--AUTHENTICATION MODUS--
Open: no
Shared key: no  
WPA-EAP  (Yes)
WPA-PSK: no
EAP Modus: TTLS
Identity: sigbj (as in /usr/local/etc/raddb/users)
Password: testing-0 (as in /usr/local/etc/raddb/users)
Anonymous identity: (left open)
Client-Sert: (closed)
Client-Key: (closed)
Client-Key_password: whatever
Server-Sert: /usr/local/etc/raddb/certs/server.csr

I have made no changes in eap.conf and radius.conf

I try to start the radiusd -X with these changes (the previous test on
localhost is successful: "Ready to process requests." And radtest test
gives the right feedback:Sending Access-Accept of id 178 to 127.0.0.1
port 1932,so this test part works)

Some of the messages from the radiusd -X with the changed client.conf:
........
radiusd: #### Loading Clients ####
 client router {
        ipaddr = 192.168.0.1
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
.............
... adding new socket proxy address * port 1047
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

radtest gives this:
Sending Access-Request of id 207 to 127.0.0.1 port 1812
        User-Name = "sigbj"
        User-Password = "testing-0"
        NAS-IP-Address = 192.168.0.198
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
radclient: no response from server for ID 207 socket 3

and radiusd consequently:
Ignoring request to authentication address * port 1812 from unknown
client 127.0.0.1 port 1048

Trying to login with the Knetworkmanager (KDE) on to the network gives
no reaction on the server, server is just waiting, the knetworkmanager
may blink or just dryrun. I have a feeling that the server is listening
on the 127.0.0.1 instead on 192.168.0.1, but do not know

I am of course doing a typical newbie mistake somewhere, but I do not
know what.

IF YOU NEED THE WHOLE RADIUSD -X LOG AT THIS POINT, PLEASE TELL ME. I
have given this explanations to begin with. The problems may also be
that a router of this kind cannot be used on freeradius or that the
router is 100% "Windows-messed-up".

-- 
  Si St
  sigbj-st at operamail.com

-- 
http://www.fastmail.fm - The professional email service



More information about the Freeradius-Users mailing list