2009/12/11 nf-vale <nf-v...@critical-links.com>:
> On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
>> Maybe I didn't make myself clear.
>>
>> I don't have AD and don't wanna. I did set clients to use 802.1x
>>
>> Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it
>> would depend on what you'd answer about my first question.
>
> Set XP clients to use 802.1x PEAP and don't forget to add your nas client
> (switch) to the clients.conf file in radius.
>
> You should provide some more info about your current configuration (freeradius
> version, files modified by you, etc) and at least some debug (radiusd -X)
> from
> a client authentication request for people to understand were have you get so
> far.
Ok. Let's follow that path.
The confs I touched:
eap.conf:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
modules/ldap:
ldap {
server = "sti-teste.domain.br"
identity = "cn=system,dc=domain,dc=br"
password = secret
basedn = "ou=Users,dc=domain,dc=br"
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
access_attr = "radiusFilterId"
dictionary_mapping = ${confdir}/ldap.attrmap
authtype = ldap
edir_account_policy_check = no
}
sites-enabled/inner-tunnel:
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
clients.conf:
client angelina {
ipaddr = 192.168.205.6
secret = testing123
}
client tplink {
ipaddr = 192.168.205.29
secret = testing123
}
# radtest teste secret angelina 1812 testing123
Sending Access-Request of id 48 to 192.168.205.6 port 1812
User-Name = "teste"
User-Password = "secret"
NAS-IP-Address = 192.168.205.6
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.205.6 port 1812,
id=48, length=64
Filter-Id = "Enterasys:version=1:policy=Enterprise User"
--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
