a router as NAS

Si St sigbj-st at operamail.com
Mon Jul 16 00:20:00 CEST 2012


Thank you, I have done that already. The IP and the shared secret
is inside the EAP config of the router just like you say. I have
ping contact from the PC to the router. The configuration "client
router { secret = testing123; ipaddr = 192.168.0.1; }" should
work so that I would be able to send "radtest sigbj testing-0
192.168.0.1 0 testing123" to the router to have the router call
the radiusd at 192.168.0.199. Using 127.0.0.1 there is full
acceptance both with radtetst -t eap-md5, chap, mschap, pap. It
IS working, and WELL too. -- The mysql part I have not tried out,
but it is not so important at this stage.

To me the radius is so well configured and constructed that it
should be this simple, at least taken in consideration the docu I
have read. The problem seems to be that call from the computer to
the NAS-client (the router) does not come through, or the NAS
will not send requests to the radius server. Again, it might be a
network problem, a missing part from my side, or something else.
Strange is it, because the router works with WAP-PSK
--
Si St
[1]sigbj-st at operamail.com


On Sun, Jul 15, 2012, at 11:21 PM, Andrew Andonopoulos wrote:

Hi,

you can use the following to include all the IPs inside the
clients file:

client 0.0.0.0/0 {
    secret          = mysecret
    shortname       = myNAS
}



>From the router's side you need to write a command to add your radius shar
ed key and ip. For example if it's allied telesis


radius-server key <key>
radius-server host <ip>


for cisco is something similar.


If you are using Mysql then you need to add it to the nas table but before
 that you need to edit the sql.conf file and uncomment the radclients = ye
s



for example my Mysql nas table is like that:


+----+----------+--------------+-------+-------+--------+-----------+-----
----------+--------+
| id | nasname  | shortname    | type  | ports | secret | community | desc
ription   | server |
+----+----------+--------------+-------+-------+--------+-----------+-----
----------+--------+
|  1 |    <IP>  | Core         | other |  NULL |  <key> | NULL      | Radi
us Client | NULL   |
|  2 |    <IP>  | ZoneDirector | other |  NULL | <key>  | NULL      | Radi
us Client | NULL   |
+----+----------+--------------+-------+-------+--------+-----------+-----
----------+--------+



because i am using the core and the zone director as a NAS.


Good luck

Andrew


> From: sigbj-st at operamail.com
> To: freeradius-users at lists.freeradius.org
> Subject: a router as NAS
> Date: Sun, 15 Jul 2012 18:49:18 +0200
>
> (I think I messed up the previous posting by returning on a
previous by
> Winter answered post. This message is found in the end of that
post. I
> am sorry. Hope this one comes in with the new subject.)
> Can I connect to radius via a router that has a guestzone? It
simply
> means that the router has an extra guestzone interface that
also
> contains choice for PSK or EAP
>
> From the following information I wonder why the radiusd is not
> responding.Remember I am trying to log in with the radius from
the PC
> where the radius is installed. Radius is on 192.168.0.198 and I
am
> attempting login or request from 192.168.0.198. This may also
be a
> mistake. Maybe there will be a conflict betw 192.168.0.1 =
router and
> 192.168.0.198 localhost. I simply dont know.
>
> The router is a DLINK 655
> The OS is SuSE Linux Enterprise Desktop 10, ServPack 3
> The radius is the freeradiu-sserver-2.1.12
>
> Here are the fields from this zone in the router:
> **ROUTER PART**
> "Use this section to configure the guest zone settings of your
router.
> The guest zone provide a separate network zone for guest to
access
> Internet":
>
> --GUEST ZONE SELECTION--
> Enable Guest Zone : (Yes)
> Wireless Band : 2.4GHz Band
> Wireless Network Name : EAP_sled (Also called the SSID)
> Enable Routing Between Zones : (No)
> Security Mode : WPA-Enterprise
>
> --WPA--
> WPA Mode : Auto (WPA or WPA2)
> Cipher Type : TKIP and AES
> Group Key Update Interval : 3600 (seconds)
>
> --EAP (802.1x)--
>
> "When WPA enterprise is enabled, the router uses EAP (802.1x)
to
> authenticate clients via a remote RADIUS server."
>
> Authentication Timeout : 60 (minutes)
> RADIUS server IP Address : 192.168.0.198
> RADIUS server Port : 1812
> RADIUS server Shared Secret : testing123
> MAC Address Authentication : No
> **CLIENT.CONF**
> Then I change the client.conf from localhost 127.0.0.1 to the
IP of the
> router 192.168.0.1
> #client localhost {
> # Allowed values are:
> # dotted quad (1.2.3.4)
> # hostname (radius.example.com)
> # ipaddr = 127.0.0.1
> # Test with router:
> client router {
> # Allowed values are:
> # dotted quad (1.2.3.4)
> # hostname (radius.example.com)
> ipaddr = 192.168.0.1
> #
> and I keep rest of it as it was.
>
> **/ETC/HOSTS/**
> I put in a line in /etc/hosts/ (I am not sure if it is right or
> necessary:
> # IP-Address Full-Qualified-Hostname Short-Hostname
> 192.168.0.1 router dlink
>
> **YAST CONFIG FOR THE USERCLIENT**
> I change the setup in system (YaST)from PKS key to EAP:
> --MODUS--
> Accesspoint: (Yes)
> Ad hoc: no
> Master: no
> --NETWORKNAME SSID--
> EAP_sled
> --AUTHENTICATION MODUS--
> Open: no
> Shared key: no
> WPA-EAP (Yes)
> WPA-PSK: no
> EAP Modus: TTLS
> Identity: sigbj (as in /usr/local/etc/raddb/users)
> Password: testing-0 (as in /usr/local/etc/raddb/users)
> Anonymous identity: (left open)
> Client-Sert: (closed)
> Client-Key: (closed)
> Client-Key_password: whatever
> Server-Sert: /usr/local/etc/raddb/certs/server.csr
>
> I have made no changes in eap.conf and radius.conf
>
> I try to start the radiusd -X with these changes (the previous
test on
> localhost is successful: "Ready to process requests." And
radtest test
> gives the right feedback:Sending Access-Accept of id 178 to
127.0.0.1
> port 1932,so this test part works)
>
> Some of the messages from the radiusd -X with the changed
client.conf:
> ........
> radiusd: #### Loading Clients ####
> client router {
> ipaddr = 192.168.0.1
> require_message_authenticator = no
> secret = "testing123"
> nastype = "other"
> .............
> ... adding new socket proxy address * port 1047
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file
/usr/local/var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as
server
> inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
>
> radtest gives this:
> Sending Access-Request of id 207 to 127.0.0.1 port 1812
> User-Name = "sigbj"
> User-Password = "testing-0"
> NAS-IP-Address = 192.168.0.198
> NAS-Port = 0
> Message-Authenticator = 0x00000000000000000000000000000000
> radclient: no response from server for ID 207 socket 3
>
> and radiusd consequently:
> Ignoring request to authentication address * port 1812 from
unknown
> client 127.0.0.1 port 1048
>
> Trying to login with the Knetworkmanager (KDE) on to the
network gives
> no reaction on the server, server is just waiting, the
knetworkmanager
> may blink or just dryrun. I have a feeling that the server is
listening
> on the 127.0.0.1 instead on 192.168.0.1, but do not know
>
> I am of course doing a typical newbie mistake somewhere, but I
do not
> know what.
>
> IF YOU NEED THE WHOLE RADIUSD -X LOG AT THIS POINT, PLEASE TELL
ME. I
> have given this explanations to begin with. The problems may
also be
> that a router of this kind cannot be used on freeradius or that
the
> router is 100% "Windows-messed-up".
>
> --
> Si St
> sigbj-st at operamail.com
>
> --
> http://www.fastmail.fm - The professional email service
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

References

1. mailto:sigbj-st at operamail.com

-- 
http://www.fastmail.fm - Accessible with your email software
                          or over the web

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120716/419b4976/attachment-0001.html>


More information about the Freeradius-Users mailing list