a router as NAS

Wed Jul 18 22:53:41 CEST 2012

Hi Si St,
I don't know why you are using router but in my situation we have sites where we installed L3 core switches and we just configure the radius ip and the radius shared key and is working or we have sites where we install a ZoneDirector (wireless controller) and can use as a NAS under the AAA settings we configured the port number (1812 or 1813 if you want) and the ip / shared key.As you can see the NAS need to know the ip , port number and the shared key. If you have a router then you need to do something similar so the router can pass the "messages" to the Radius server. 
The next step is about your clients. Again we have sited (with the core switches) where the clients are connected with the ethernet cable so you need to configure the ports for dot1x, 1 example from the Alied telesis switch is :
 switchport switchport mode access dot1x port-control auto dot1x control-direction both auth dynamic-vlan-creation
as you can see the port-control is  necessary and the dynamic vlan is optional.
If your clients are connected through the wireless then you need to configure PEAP / mschapv2 because the freeradius is using MD5 by default and all the ports trunks (Access Point, Controller, Radius server).
I believe in you case you are using a cisco router, so configure the router with the AAA commands (check the cisco site) and the port where you connect the client for dot1x. Run the server in debug mode (radiusd -X) and the same time from the client try to connect with the radius server. You should be able to see the requests , if the radius can't find the NAS or recognise then you will see an error and the ip of the router.   If you are using MAC OS as a client go to the network preferences and setup the dot1x to use MD5 only (if you haven't change it in the EAP file)

regardsAndrew

> From: sigbj-st at operamail.com
> To: freeradius-users at lists.freeradius.org
> Subject: Re: a router as NAS
> Date: Wed, 18 Jul 2012 21:43:49 +0200
> 
> DeKOK, Buxey and andy79!
> Please, see if my understanding below is better.
> 
> Taking a glimps at the page
> http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033659
> it seemes obvious to me that I have misunderstood a few things:
> I thought I needed something EXTRA that should run a NAS request to the
> radius-server, and thought the router should do the job.
> But the NAS is there already in the freeradiusserver downloadfile
> installed together with the server. Looking at what the radtest is
> spitting out it is there with its NAS IP and port "Sending
> Access-Request".
> The radiud -X answers this request:"rad_recv: Access-Request......[pap]
> User authenticated successfully
> ++[pap] returns ok...........
> 
> Were there no NAS already, the radiusd would not have answered. Simple
> as that. From this it is of course obvious to me that it is impossible
> that the router can run a NAS, and I can understand Buxeys resignation
> about my "very special router". The router can only direct or rather
> route the userclient message to the NAS-radius machinery. That is what
> the router's EAP-switch is for, letting me configure an IP and a port in
> that box where to send it, have it treated by the
> NAS/radclient/radserver and receive an OK or something to let me through
> to the f.ex. internet. Isn't this correct?
> 
> For the radtest to work I found that I had to apply the IPs or their
> authorized names or shortnames registered in the /etc/hosts. Otherwise:
> "radclient: Failed to find IP address for host sled-10sp3m: No such file
> or directory"
> At the same time the client.conf must correlate with the /etc/hosts
> 
> What is wrong is my subject heading: "router as NAS", which of course
> confuses.
> 
> If this is correct everything is simplified to just find out how to
> network this.
> Am I closer now?
> -- 
>   Si St
>   sigbj-st at operamail.com
> 
> 
> On Mon, Jul 16, 2012, at 12:34 PM, Alan DeKok wrote:
> > Si St wrote:
> > > Q:Buxey:
> > > Hi,
> > > what makes you think you can send RADIUS requests to this router and for
> > > it
> > > to then send those requests to your server? 
> > > A:Because the router documentation said it: 
> > > "-WPA-Enterprise
> > > 
> > >     This option works with a RADIUS Server to authenticate wireless
> > >     clients. Wireless clients should have established the necessary
> > >     credentials before attempting to authenticate to the Server through
> > >     this Gateway. Furthermore, it may be necessary to configure the
> > >     RADIUS Server to allow this Gateway to authenticate users."
> > 
> >   That text does NOT say the router accepts RADIUS requests.
> > 
> > > I really cant help for that the docu is unprecise, has lacks etc.
> > 
> >   It assumes that you are familiar with RADIUS and wireless
> > configuration.  If you're not, the text is hard to understand.
> > 
> > > The
> > > "credentials " and understand as certs, the "configure" is very sparse
> > > if PORTS have to be taken in consideration. - But we are really getting
> > > somewhere taking PORTS into my knowledge. But I do not how to configure
> > > this and where. If the router has the 1812 configured I would assume
> > > that radius would return through the same port. I will try to read
> > > through the files in raddb to find something about it. Could
> > > /etc/service give a clue? 
> > 
> >   No.
> > 
> >   Read more about RADIUS and wireless configuration.  Start with
> >   Wikipedia.
> > 
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> -- 
> http://www.fastmail.fm - Choose from over 50 domains or use your own
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120718/12496a0d/attachment-0001.html>