You need to sort out some basic things:
- your user sits at the laptop and connects to - what? What service is
router controlling?
- your router is most likely the only (radius) client on your network.
User machines should be removed from clients.conf.
- don't use Auth-Type and User-Password. Read instructions in users
file. Documentation you got these entries from is years out of date.
Ican Kalik
Kalik Informatika ISP
Dana 18/4/2008, "Si St" <[EMAIL PROTECTED]> piše:
>WILL THE DEFAULT ROUTER FIREWALL CONFIGURATION BELOW WORK WITH THE RADIUS?
>Below you have the default setup of my router firewall section. I have not
>changed anything there yet. Could the router firewall stay as this? I have
>been looking through the SuSE-firewall settings in YaST too, and cannot find
>anything that should interfere there. I would also expect an installation of
>radius to harmonize with the SuSEfirewall2 through the /sbin/SuSEconfig anyhow.
>
>DOES THE ROUTER EAP CONFIGURATION BELOW LOOK RIGHT?
>Further, below you have also a proposal of how I would set up the
>radius-section of that router. The main thing here is to try to show if I
>really know what I am doing. The Shared Secret and user passwords are chosen
>in correspondance with my understanding of Alan DeKOKs answer of my first
>mails; I am here thinking of identity/password in YaST and secret in Router
>configs.
>
>ANY FIRST-THOUGHT COMMENT ON MY clients.conf AND users?
>I have tested out the changes I have made of /etc/raddb/users and
>clients.conf, starting debugmode with radiusd -X. This in correspondance with
>Buxeys recommendations to further proceed into the Inner Circle of Radius.No
>errors or warnings,"Ready to process requests". (The only one I had was
>forgetting a comma previous to the Reply_Message line. And I outcommented
>consciously certain values to test out the messages of the radius debug). As
>to the recent back-and-forth writing on the mailing-list about the file- and
>directory permissions in /etc/raddb/certs and demoCA, I chose to stay with the
>proposal of Hood, letting the files stay 640 as they used to and changing the
>seemingly bad and wrong permissions of certs/ and demoCA/ from 640 to 750.
>
>The next job is to work out the certificates, but here I have really good help
>by the stuff in /usr/share/doc/packages/freeradius/CA.certs, and I have
>already studied and tried out this part .
>
>/*But first - if you may - take a look at the matter below, and by the way it
>is Friday evening, at least in Norway now, and you may make yourselves a good
>sharp drink to have that burning sensation of exploring newbies crap with
>"failed","errors","really bad code,how is it possible to scribble so much
>sh.","God, do you really need to fill up our servers with so much unnecessary
>writing", and so on. But don't spill the boos on your keyboards, especially if
>you have those laptops;it is hell of a job to unscrew it, dry it up, and
>finally realizing that those plastic screw-holes do not fit so tight anymore.
>- Thanks people , so far! */
>
>----------------------------------------
>ROUTER FIREWALL SETTINGS
>----------------------------------------
> Enable SPI : YES
>
> NAT ENDPOINT FILTERING
> UDP Endpoint Filtering
> Endpoint Independent: NO
> Address Restricted: YES
> Port And Address Restricted:NO
>
> TCP Endpoint Filtering
> Endpoint Independent
> Address Restricted: NO
> Port And Address Restricted: YES
>
>----------------------------------------
>Radius configuration on the router
>EAP (802.1x)
>----------------------------------------
>Authentication Timeout : 60 (minutes)
>RADIUS server IP Address : 192.168.0.198
>RADIUS server Port : 1812
>RADIUS server Shared Secret : testing123
>MAC Address Authentication : YES
>
>-------------------------------------------------
>SuSE YaST setup for EAP-TLS
>-------------------------------------------------
>machine/PC IP-address 192.168.0.198
>Identity: sigbj
>Password: testing-0
>Client-certificat: (file-address of this machine)
>Server-certificat: (file-address of this machine)
>-------------------------------------------------
>machine/PC IP-address 192.168.0.196
>Identity: elise
>Password: testing-2
>Client-certificat: (file-address of this machine)
>Server-certificat: (file-address of this machine)
>-------------------------------------------------
>(next machine,but now only WinOS: we have to do PEAP)
>========================================
>/etc/raddb/clients.conf
>--------------------------------------------
>client 192.168.0.198 {
> secret = testing123
> shortname = asus-TL
> nastype = other
># SuSE 10.0_EAP-TLS; (WinXP_PEAP) -laptop
>}
>
>client 192.168.0.197 {
> secret = testing123
> shortname = hp-TL
> nastype = other
># WinVista_PEAP -laptop
>}
>
>client 192.168.0.196 {
> secret = testing123
> shortname = loft-TL
> nastype = other
># SLED SP1_EAP-TLS; WinXP_PEAP -workstation
>}
>
>client 192.168.0.195 {
> secret = testing123
> shortname = acer-TL
> nastype = other
># WinXP_PEAP -laptop
>}
>=================================================================
>/etc/raddb/users
>-----------------------------------------------------------------
>sigbj Auth-Type := Local, User-Password == "testing-0"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 192.168.0.198,
> Framed-IP-Netmask = 255.255.255.0,
> Framed-Routing = Broadcast-Listen,
> Framed-Filter-Id = "std.ppp",
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP,
> Reply-Message = "Welcome to The Inner Circle, %u"
>
>andr Auth-Type := Local, User-Password == "testing-1"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 192.168.0.197,
> Framed-IP-Netmask = 255.255.255.0,
> Framed-Routing = Broadcast-Listen,
> Framed-Filter-Id = "std.ppp",
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP,
> Reply-Message = "Welcome to The Inner Circle, %u"
>
>elise Auth-Type := Local, User-Password == "testing-2"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 192.168.0.196,
> Framed-IP-Netmask = 255.255.255.0,
> Framed-Routing = Broadcast-Listen,
> Framed-Filter-Id = "std.ppp",
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP,
> Reply-Message = "Welcome to The Inner Circle, %u"
>
>ingv Auth-Type := Local, User-Password == "testing-3"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 192.168.0.195,
> Framed-IP-Netmask = 255.255.255.0,
> Framed-Routing = Broadcast-Listen,
> Framed-Filter-Id = "std.ppp",
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP,
> Reply-Message = "Welcome to The Inner Circle, %u"
>
>---------------------------------------------------------------
>
>
>--
>_______________________________________________
>Surf the Web in a faster, safer and easier way:
>Download Opera 9 at http://www.opera.com
>
>Powered by Outblaze
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
