Thank you, I have done that already. The IP and the shared secret
is inside the EAP config of the router just like you say. I have
ping contact from the PC to the router. The configuration "client
router { secret = testing123; ipaddr = 192.168.0.1; }" should
work so that I would be able to send "radtest sigbj testing-0
192.168.0.1 0 testing123" to the router to have the router call
the radiusd at 192.168.0.199. Using 127.0.0.1 there is full
acceptance both with radtetst -t eap-md5, chap, mschap, pap. It
IS working, and WELL too. -- The mysql part I have not tried out,
but it is not so important at this stage.To me the radius is so well configured and constructed that it should be this simple, at least taken in consideration the docu I have read. The problem seems to be that call from the computer to the NAS-client (the router) does not come through, or the NAS will not send requests to the radius server. Again, it might be a network problem, a missing part from my side, or something else. Strange is it, because the router works with WAP-PSK -- Si St [1][email protected] On Sun, Jul 15, 2012, at 11:21 PM, Andrew Andonopoulos wrote: Hi, you can use the following to include all the IPs inside the clients file: client 0.0.0.0/0 { secret = mysecret shortname = myNAS } >From the router's side you need to write a command to add your radius shar ed key and ip. For example if it's allied telesis radius-server key <key> radius-server host <ip> for cisco is something similar. If you are using Mysql then you need to add it to the nas table but before that you need to edit the sql.conf file and uncomment the radclients = ye s for example my Mysql nas table is like that: +----+----------+--------------+-------+-------+--------+-----------+----- ----------+--------+ | id | nasname | shortname | type | ports | secret | community | desc ription | server | +----+----------+--------------+-------+-------+--------+-----------+----- ----------+--------+ | 1 | <IP> | Core | other | NULL | <key> | NULL | Radi us Client | NULL | | 2 | <IP> | ZoneDirector | other | NULL | <key> | NULL | Radi us Client | NULL | +----+----------+--------------+-------+-------+--------+-----------+----- ----------+--------+ because i am using the core and the zone director as a NAS. Good luck Andrew > From: [email protected] > To: [email protected] > Subject: a router as NAS > Date: Sun, 15 Jul 2012 18:49:18 +0200 > > (I think I messed up the previous posting by returning on a previous by > Winter answered post. This message is found in the end of that post. I > am sorry. Hope this one comes in with the new subject.) > Can I connect to radius via a router that has a guestzone? It simply > means that the router has an extra guestzone interface that also > contains choice for PSK or EAP > > From the following information I wonder why the radiusd is not > responding.Remember I am trying to log in with the radius from the PC > where the radius is installed. Radius is on 192.168.0.198 and I am > attempting login or request from 192.168.0.198. This may also be a > mistake. Maybe there will be a conflict betw 192.168.0.1 = router and > 192.168.0.198 localhost. I simply dont know. > > The router is a DLINK 655 > The OS is SuSE Linux Enterprise Desktop 10, ServPack 3 > The radius is the freeradiu-sserver-2.1.12 > > Here are the fields from this zone in the router: > **ROUTER PART** > "Use this section to configure the guest zone settings of your router. > The guest zone provide a separate network zone for guest to access > Internet": > > --GUEST ZONE SELECTION-- > Enable Guest Zone : (Yes) > Wireless Band : 2.4GHz Band > Wireless Network Name : EAP_sled (Also called the SSID) > Enable Routing Between Zones : (No) > Security Mode : WPA-Enterprise > > --WPA-- > WPA Mode : Auto (WPA or WPA2) > Cipher Type : TKIP and AES > Group Key Update Interval : 3600 (seconds) > > --EAP (802.1x)-- > > "When WPA enterprise is enabled, the router uses EAP (802.1x) to > authenticate clients via a remote RADIUS server." > > Authentication Timeout : 60 (minutes) > RADIUS server IP Address : 192.168.0.198 > RADIUS server Port : 1812 > RADIUS server Shared Secret : testing123 > MAC Address Authentication : No > **CLIENT.CONF** > Then I change the client.conf from localhost 127.0.0.1 to the IP of the > router 192.168.0.1 > #client localhost { > # Allowed values are: > # dotted quad (1.2.3.4) > # hostname (radius.example.com) > # ipaddr = 127.0.0.1 > # Test with router: > client router { > # Allowed values are: > # dotted quad (1.2.3.4) > # hostname (radius.example.com) > ipaddr = 192.168.0.1 > # > and I keep rest of it as it was. > > **/ETC/HOSTS/** > I put in a line in /etc/hosts/ (I am not sure if it is right or > necessary: > # IP-Address Full-Qualified-Hostname Short-Hostname > 192.168.0.1 router dlink > > **YAST CONFIG FOR THE USERCLIENT** > I change the setup in system (YaST)from PKS key to EAP: > --MODUS-- > Accesspoint: (Yes) > Ad hoc: no > Master: no > --NETWORKNAME SSID-- > EAP_sled > --AUTHENTICATION MODUS-- > Open: no > Shared key: no > WPA-EAP (Yes) > WPA-PSK: no > EAP Modus: TTLS > Identity: sigbj (as in /usr/local/etc/raddb/users) > Password: testing-0 (as in /usr/local/etc/raddb/users) > Anonymous identity: (left open) > Client-Sert: (closed) > Client-Key: (closed) > Client-Key_password: whatever > Server-Sert: /usr/local/etc/raddb/certs/server.csr > > I have made no changes in eap.conf and radius.conf > > I try to start the radiusd -X with these changes (the previous test on > localhost is successful: "Ready to process requests." And radtest test > gives the right feedback:Sending Access-Accept of id 178 to 127.0.0.1 > port 1932,so this test part works) > > Some of the messages from the radiusd -X with the changed client.conf: > ........ > radiusd: #### Loading Clients #### > client router { > ipaddr = 192.168.0.1 > require_message_authenticator = no > secret = "testing123" > nastype = "other" > ............. > ... adding new socket proxy address * port 1047 > Listening on authentication address * port 1812 > Listening on accounting address * port 1813 > Listening on command file /usr/local/var/run/radiusd/radiusd.sock > Listening on authentication address 127.0.0.1 port 18120 as server > inner-tunnel > Listening on proxy address * port 1814 > Ready to process requests. > > radtest gives this: > Sending Access-Request of id 207 to 127.0.0.1 port 1812 > User-Name = "sigbj" > User-Password = "testing-0" > NAS-IP-Address = 192.168.0.198 > NAS-Port = 0 > Message-Authenticator = 0x00000000000000000000000000000000 > radclient: no response from server for ID 207 socket 3 > > and radiusd consequently: > Ignoring request to authentication address * port 1812 from unknown > client 127.0.0.1 port 1048 > > Trying to login with the Knetworkmanager (KDE) on to the network gives > no reaction on the server, server is just waiting, the knetworkmanager > may blink or just dryrun. I have a feeling that the server is listening > on the 127.0.0.1 instead on 192.168.0.1, but do not know > > I am of course doing a typical newbie mistake somewhere, but I do not > know what. > > IF YOU NEED THE WHOLE RADIUSD -X LOG AT THIS POINT, PLEASE TELL ME. I > have given this explanations to begin with. The problems may also be > that a router of this kind cannot be used on freeradius or that the > router is 100% "Windows-messed-up". > > -- > Si St > [email protected] > > -- > http://www.fastmail.fm - The professional email service > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html References 1. mailto:[email protected] -- http://www.fastmail.fm - Accessible with your email software or over the web
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
