You need to sort out some basic things: - your user sits at the laptop and connects to - what? What service is router controlling?
- your router is most likely the only (radius) client on your network. User machines should be removed from clients.conf. - don't use Auth-Type and User-Password. Read instructions in users file. Documentation you got these entries from is years out of date. Ican Kalik Kalik Informatika ISP Dana 18/4/2008, "Si St" <[EMAIL PROTECTED]> piše: >WILL THE DEFAULT ROUTER FIREWALL CONFIGURATION BELOW WORK WITH THE RADIUS? >Below you have the default setup of my router firewall section. I have not >changed anything there yet. Could the router firewall stay as this? I have >been looking through the SuSE-firewall settings in YaST too, and cannot find >anything that should interfere there. I would also expect an installation of >radius to harmonize with the SuSEfirewall2 through the /sbin/SuSEconfig anyhow. > >DOES THE ROUTER EAP CONFIGURATION BELOW LOOK RIGHT? >Further, below you have also a proposal of how I would set up the >radius-section of that router. The main thing here is to try to show if I >really know what I am doing. The Shared Secret and user passwords are chosen >in correspondance with my understanding of Alan DeKOKs answer of my first >mails; I am here thinking of identity/password in YaST and secret in Router >configs. > >ANY FIRST-THOUGHT COMMENT ON MY clients.conf AND users? >I have tested out the changes I have made of /etc/raddb/users and >clients.conf, starting debugmode with radiusd -X. This in correspondance with >Buxeys recommendations to further proceed into the Inner Circle of Radius.No >errors or warnings,"Ready to process requests". (The only one I had was >forgetting a comma previous to the Reply_Message line. And I outcommented >consciously certain values to test out the messages of the radius debug). As >to the recent back-and-forth writing on the mailing-list about the file- and >directory permissions in /etc/raddb/certs and demoCA, I chose to stay with the >proposal of Hood, letting the files stay 640 as they used to and changing the >seemingly bad and wrong permissions of certs/ and demoCA/ from 640 to 750. > >The next job is to work out the certificates, but here I have really good help >by the stuff in /usr/share/doc/packages/freeradius/CA.certs, and I have >already studied and tried out this part . > >/*But first - if you may - take a look at the matter below, and by the way it >is Friday evening, at least in Norway now, and you may make yourselves a good >sharp drink to have that burning sensation of exploring newbies crap with >"failed","errors","really bad code,how is it possible to scribble so much >sh.","God, do you really need to fill up our servers with so much unnecessary >writing", and so on. But don't spill the boos on your keyboards, especially if >you have those laptops;it is hell of a job to unscrew it, dry it up, and >finally realizing that those plastic screw-holes do not fit so tight anymore. >- Thanks people , so far! */ > >---------------------------------------- >ROUTER FIREWALL SETTINGS >---------------------------------------- > Enable SPI : YES > > NAT ENDPOINT FILTERING > UDP Endpoint Filtering > Endpoint Independent: NO > Address Restricted: YES > Port And Address Restricted:NO > > TCP Endpoint Filtering > Endpoint Independent > Address Restricted: NO > Port And Address Restricted: YES > >---------------------------------------- >Radius configuration on the router >EAP (802.1x) >---------------------------------------- >Authentication Timeout : 60 (minutes) >RADIUS server IP Address : 192.168.0.198 >RADIUS server Port : 1812 >RADIUS server Shared Secret : testing123 >MAC Address Authentication : YES > >------------------------------------------------- >SuSE YaST setup for EAP-TLS >------------------------------------------------- >machine/PC IP-address 192.168.0.198 >Identity: sigbj >Password: testing-0 >Client-certificat: (file-address of this machine) >Server-certificat: (file-address of this machine) >------------------------------------------------- >machine/PC IP-address 192.168.0.196 >Identity: elise >Password: testing-2 >Client-certificat: (file-address of this machine) >Server-certificat: (file-address of this machine) >------------------------------------------------- >(next machine,but now only WinOS: we have to do PEAP) >======================================== >/etc/raddb/clients.conf >-------------------------------------------- >client 192.168.0.198 { > secret = testing123 > shortname = asus-TL > nastype = other ># SuSE 10.0_EAP-TLS; (WinXP_PEAP) -laptop >} > >client 192.168.0.197 { > secret = testing123 > shortname = hp-TL > nastype = other ># WinVista_PEAP -laptop >} > >client 192.168.0.196 { > secret = testing123 > shortname = loft-TL > nastype = other ># SLED SP1_EAP-TLS; WinXP_PEAP -workstation >} > >client 192.168.0.195 { > secret = testing123 > shortname = acer-TL > nastype = other ># WinXP_PEAP -laptop >} >================================================================= >/etc/raddb/users >----------------------------------------------------------------- >sigbj Auth-Type := Local, User-Password == "testing-0" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 192.168.0.198, > Framed-IP-Netmask = 255.255.255.0, > Framed-Routing = Broadcast-Listen, > Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP, > Reply-Message = "Welcome to The Inner Circle, %u" > >andr Auth-Type := Local, User-Password == "testing-1" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 192.168.0.197, > Framed-IP-Netmask = 255.255.255.0, > Framed-Routing = Broadcast-Listen, > Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP, > Reply-Message = "Welcome to The Inner Circle, %u" > >elise Auth-Type := Local, User-Password == "testing-2" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 192.168.0.196, > Framed-IP-Netmask = 255.255.255.0, > Framed-Routing = Broadcast-Listen, > Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP, > Reply-Message = "Welcome to The Inner Circle, %u" > >ingv Auth-Type := Local, User-Password == "testing-3" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 192.168.0.195, > Framed-IP-Netmask = 255.255.255.0, > Framed-Routing = Broadcast-Listen, > Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP, > Reply-Message = "Welcome to The Inner Circle, %u" > >--------------------------------------------------------------- > > >-- >_______________________________________________ >Surf the Web in a faster, safer and easier way: >Download Opera 9 at http://www.opera.com > >Powered by Outblaze > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html