On Friday 11 December 2009 18:32:02 Fabiano Caixeta Duarte wrote: > 2009/12/11 nf-vale <[email protected]>: > > On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote: > >> Maybe I didn't make myself clear. > >> > >> I don't have AD and don't wanna. I did set clients to use 802.1x > >> > >> Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it > >> would depend on what you'd answer about my first question. > > > > Set XP clients to use 802.1x PEAP and don't forget to add your nas client > > (switch) to the clients.conf file in radius. > > > > You should provide some more info about your current configuration > > (freeradius version, files modified by you, etc) and at least some debug > > (radiusd -X) from a client authentication request for people to > > understand were have you get so far. > > Ok. Let's follow that path. > > The confs I touched: > > eap.conf: > eap { > default_eap_type = peap > timer_expire = 60 > ignore_unknown_eap_types = no > cisco_accounting_username_bug = no > max_sessions = 2048 > md5 { > } > leap { > } > gtc { > auth_type = PAP > } > tls { > certdir = ${confdir}/certs > cadir = ${confdir}/certs > private_key_password = whatever > private_key_file = ${certdir}/server.pem > certificate_file = ${certdir}/server.pem > CA_file = ${cadir}/ca.pem > dh_file = ${certdir}/dh > random_file = ${certdir}/random > cipher_list = "DEFAULT" > make_cert_command = "${certdir}/bootstrap" > cache { > enable = no > max_entries = 255 > } > } > ttls { > default_eap_type = md5 > copy_request_to_tunnel = no > use_tunneled_reply = no > virtual_server = "inner-tunnel" > } > peap { > default_eap_type = mschapv2 > copy_request_to_tunnel = no > use_tunneled_reply = no > virtual_server = "inner-tunnel" > } > mschapv2 { > } > } > > modules/ldap: > ldap { > server = "sti-teste.domain.br" > identity = "cn=system,dc=domain,dc=br" > password = secret > basedn = "ou=Users,dc=domain,dc=br" > base_filter = "(objectclass=radiusprofile)" > ldap_connections_number = 5 > timeout = 4 > timelimit = 3 > net_timeout = 1 > tls { > start_tls = no > } > access_attr = "radiusFilterId" > dictionary_mapping = ${confdir}/ldap.attrmap > authtype = ldap > edir_account_policy_check = no > } > > sites-enabled/inner-tunnel: > server inner-tunnel { > authorize { > chap > mschap > unix > suffix > update control { > Proxy-To-Realm := LOCAL > } > eap { > ok = return > } > files > ldap > expiration > logintime > pap > } > authenticate { > Auth-Type PAP { > pap > } > Auth-Type CHAP { > chap > } > Auth-Type MS-CHAP { > mschap > } > unix > Auth-Type LDAP { > ldap > } > eap > } > session { > radutmp > } > post-auth { > Post-Auth-Type REJECT { > attr_filter.access_reject > } > } > pre-proxy { > } > post-proxy { > eap > } > > clients.conf: > client angelina { > ipaddr = 192.168.205.6 > secret = testing123 > } > client tplink { > ipaddr = 192.168.205.29 > secret = testing123 > } > > # radtest teste secret angelina 1812 testing123 > Sending Access-Request of id 48 to 192.168.205.6 port 1812 > User-Name = "teste" > User-Password = "secret" > NAS-IP-Address = 192.168.205.6 > NAS-Port = 1812 > rad_recv: Access-Accept packet from host 192.168.205.6 port 1812, > id=48, length=64 > Filter-Id = "Enterasys:version=1:policy=Enterprise User" >
Ok, but what about a debug from a request made a XP client using PEAP connected to your switch? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
