Radius - Debian - Cisco

[fabien49]

Bonjour,

Voici ma configuration:

Serveur Debian avec freeradius 2.1.12

- Mysql (users (MAC CLIENT) et bornes dans les tables radcheck et nas)

Borne Wifi Cisco WAP4410N

- WPA2 Entreprise

- 802.1X Supplicant activé

Pc portable (XP SP3)

- Certificats client et CA installés

Le problème :

Je n'arrive pas a avoir internet :(

En faisant un freeradius -X sur le serveur et en me connectant avec le portable, j'arrive bien a m'authentifier ([pap] user authenticated successfully) et aucun ERROR ou WARNING.

Dans les log CISCO:

J'ai toujours ça

Nov 10 10:39:56 kernel: [][MAC CLIENT] SUBTYPE_AUTH

Nov 10 10:39:56 kernel: [ciscosb][MAC CLIENT] Deauthenticated

Nov 10 10:39:56 kernel: [][MAC CLIENT] SUBTYPE_AUTH

Nov 10 10:39:56 kernel: [ciscosb][MAC CLIENT Deauthenticated

J'ai besoin d'aide pour faire fonctionner tout ça

Merci

[piwi82]

Qu'as-tu déclaré dans clients.conf ?

Si tu pouvais poster tes fichiers de conf ici, ça serait plus facile de t'aider.

[fabien49]

ba il y a rien dans client.conf vu que j'utilise mysql.

mais dans la table radcheck, j'ai ajouter:

username | attribute | op | value

---------------------------------------------

test0 | User-Password | == | userpassword

@mac client |User-Password | == | @mac client

mais dans la table radcheck, j'ai ajouter:

nasname | shortname | secret

----------------------------

127.0.0.1 | localhost | secret_password

192.168.0.246 | ciscosb | secret_password

j'envoie les fichiers de conf.

merci

[fabien49]

Voici mes fichiers de conf

##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)eap {	default_eap_type = tls	timer_expire     = 60	ignore_unknown_eap_types = no	cisco_accounting_username_bug = no	max_sessions = 4096	tls {		certdir = ${confdir}/certs		cadir = ${confdir}/certs		private_key_password = secret_password		private_key_file = ${certdir}/server@cert.pem		certificate_file = ${certdir}/server@cert.pem		CA_file = ${cadir}/root_CA-cacert.pem		dh_file = ${certdir}/dh		random_file = ${certdir}/random		check_crl = no		CA_path = ${cadir}/		cipher_list = "DEFAULT"		cache {	 		      lifetime = 24 # hours		      max_entries = 255		}	}}

## radiusd.conf	-- FreeRADIUS server configuration file.prefix = /usrexec_prefix = /usrsysconfdir = /etclocalstatedir = /varsbindir = ${exec_prefix}/sbinlogdir = /var/log/freeradiusraddbdir = /etc/freeradiusradacctdir = ${logdir}/radacctname = freeradiusconfdir = ${raddbdir}run_dir = ${localstatedir}/run/freeradiusdb_dir = ${raddbdir}libdir = /usr/lib/freeradiuspidfile = ${run_dir}/freeradius.piduser = freeradgroup = freeradmax_request_time = 30cleanup_delay = 5max_requests = 1024listen {type = authipaddr = *port = 0}listen {ipaddr = *port = 0type = acct}hostname_lookups = noallow_core_dumps = noregular_expressions	= yesextended_expressions	= yeslog {destination = filessyslog_facility = daemonstripped_names = yesauth = yesauth_badpass = yesauth_goodpass = yes}security {max_attributes = 200reject_delay = 1status_server = yes}proxy_requests  = yes$INCLUDE proxy.confthread pool {min_spare_servers = 3max_spare_servers = 10max_requests_per_server = 0}modules {$INCLUDE ${confdir}/modules/$INCLUDE eap.conf$INCLUDE sql.conf$INCLUDE sql/mysql/counter.conf}instantiate {execexprexpirationlogintime}$INCLUDE policy.conf$INCLUDE sites-enabled/

## sql.conf -- SQL modulessql {database = "mysql"driver = "rlm_sql_${database}"server = "localhost"login = "radius"radius_db = "radius"acct_table1 = "radacct"acct_table2 = "radacct"postauth_table = "radpostauth"authcheck_table = "radcheck"authreply_table = "radreply"groupcheck_table = "radgroupcheck"groupreply_table = "radgroupreply"usergroup_table = "radusergroup"deletestalesessions = yessqltrace = nosqltracefile = ${logdir}/sqltrace.sqlnum_sql_socks = 5connect_failure_retry_delay = 60lifetime = 0max_queries = 0readclients = yesnas_table = "nas"$INCLUDE sql/${database}/dialup.conf}

authorize {preprocesschapsuffixeap {	ok = return}sqlexpirationlogintime}authenticate {Auth-Type CHAP {	chap}Auth-Type MS-CHAP {	mschap}unixeap}preacct {preprocessacct_uniquesuffix}accounting {detailradutmpsqlsql_logexecattr_filter.accounting_response}session {radutmpsql}post-auth {sqlPost-Auth-Type REJECT {	sql	attr_filter.access_reject}}

[piwi82]

Tu as testé avec la commande radtest ?

Vérifie que tu as bien suivi les instructions pour les clients définis dans une base SQL :

      #  Clients can also be defined dynamically at run time, based     #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,     #  etc.     #  See raddb/sites-available/dynamic-clients for details.

source :http://wiki.freeradius.org/Clients.conf

[fabien49]

oui et je n'ai pas d'erreur

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=80, lenght=20

Pour l'ajout des utilisateurs, j'ai suivis différents tutos.