Forum Linux.debian/ubuntu erreur freeradius

Posté par  . Licence CC By‑SA.
Étiquettes :
-9
30
juil.
2016
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
    allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
    name = "radiusd"
    prefix = "/usr/local"
    localstatedir = "/usr/local/var"
    sbindir = "/usr/local/sbin"
    logdir = "/usr/local/var/log/radius"
    run_dir = "/usr/local/var/run/radiusd"
    libdir = "/usr/local/lib"
    radacctdir = "/usr/local/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    require_message_authenticator = yes
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
  coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
  }
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
 client 127.0.0.1 {
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
WARNING: Ignoring duplicate client 127.0.0.1
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
    timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = no
    allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
  unix {
    radwtmp = "/usr/local/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
  eap {
    default_eap_type = "tls"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/usr/local/openssl-certgen/ssl/certs"
    pem_file_type = yes
    private_key_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    certificate_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    CA_file = "/usr/local/openssl-certgen/ssl/certs/root.pem"
    private_key_password = "fergisuriel"
    dh_file = "/usr/local/openssl-certgen/ssl/certs/dh"
    random_file = "/usr/local/openssl-certgen/ssl/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    check_cert_cn = "%{User-Name}"
    cipher_list = "DEFAULT"
    make_cert_command = "/usr/local/openssl-certgen/ssl/certs/bootstrap"
    ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
root@fredy:/usr/local/etc/raddb# ^C
root@fredy:/usr/local/etc/raddb# clear

root@fredy:/usr/local/etc/raddb# radiusd -X
radiusd: FreeRADIUS Version 2.2.2, for host x86_64-unknown-linux-gnu, built on Nov 11 2015 at 16:12:24
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/cache
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
    allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
    name = "radiusd"
    prefix = "/usr/local"
    localstatedir = "/usr/local/var"
    sbindir = "/usr/local/sbin"
    logdir = "/usr/local/var/log/radius"
    run_dir = "/usr/local/var/run/radiusd"
    libdir = "/usr/local/lib"
    radacctdir = "/usr/local/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    require_message_authenticator = yes
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
  coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
  }
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
 client 127.0.0.1 {
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
WARNING: Ignoring duplicate client 127.0.0.1
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
    timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = no
    allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
  unix {
    radwtmp = "/usr/local/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
  eap {
    default_eap_type = "tls"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/usr/local/openssl-certgen/ssl/certs"
    pem_file_type = yes
    private_key_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    certificate_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    CA_file = "/usr/local/openssl-certgen/ssl/certs/root.pem"
    private_key_password = "fergisuriel"
    dh_file = "/usr/local/openssl-certgen/ssl/certs/dh"
    random_file = "/usr/local/openssl-certgen/ssl/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    check_cert_cn = "%{User-Name}"
    cipher_list = "DEFAULT"
    make_cert_command = "/usr/local/openssl-certgen/ssl/certs/bootstrap"
    ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
root@fredy:/usr/local/etc/raddb#

  • # freeradius

    Posté par  . Évalué à 1.

    aidez moi merci.Je suis sur un debian 7 wheezy amd 64 bits c'est pour la soutenance de mon mémoire de licence

    • [^] # Re: freeradius

      Posté par  . Évalué à 2. Dernière modification le 30 juillet 2016 à 15:51.

      C'est sûr, c'est mieux avec quelques commentaires. question bête je suppose : c'est normal qu'il y ait plusieurs main{} ?

  • # Et pour comprendre :

    Posté par  . Évalué à 1. Dernière modification le 30 juillet 2016 à 15:53.

    • Ce que tu veux faire
    • Quel est le problème
    • Dans quelle conditions il se produit
    • Les versions d'OS/logiciels impliqués

    On demande ici ou on en parle ce soir au Libanais ?

    ;-)
    Des gens voudrons bien t'aider mais il faut qu'il comprenne comment t'aider.
    Là ce n'est pas le cas :-)

    Julien_c'est_bien (y'a pas que Seb)

    • [^] # Re: Et pour comprendre :

      Posté par  . Évalué à 1. Dernière modification le 30 juillet 2016 à 18:00.

      OS et logiciels impliques

      • Linux debian wheezy 7.0.0 amd 64 pour le serveur
      • Windows XP, 7 pour les postes clients
      • openssl-1.0.0s.tar.gz
      • freeradius-server-2.2.2 .tar.gz

      ce que je veux faire:Contribution à l’amélioration de la sécurité d’un réseau wifi au moyen d'un serveur d’authentification RADIUS sous Debian

      le problème:quand je lance la commande radiusd -x je reçois vers la fin un message d'erreur que voici :

      rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.

      or j'ai compilé tous les certificats (xpextensions, CA.root, CA.svr, CA.clt
      )dans le dossier « /usr/local/openssl-certgen/ssl/certs » ce qui me donne les fichiers demoCA fergis.der fergis.p12 fergis.pem newcert.pem root.der root.p12 root.pem serveur.der serveur.p12 serveur.pem xpextensions

      a noter qu'ici le client=fergis

      /usr/local/etc/raddb# ce dossier contient les fichiers eap.conf ; clients.conf; radiusd.conf et users que j'ai modifié .

      un apercu: eap.conf

      # -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##  $Id: d2c2b658bed01c345e9e34d7420a5d0e5541eeae $

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#  EAP types NOT listed here may be supported via the "eap2" module.
#  See experimental.conf for documentation.
#
    eap {
        #  Invoke the default supported EAP type when
        #  EAP-Identity response is received.
        #
        #  The incoming EAP messages DO NOT specify which EAP
        #  type they will be using, so it MUST be set here.
        #
        #  For now, only one default EAP type may be used at a time.
        #
        #  If the EAP-Type attribute is set by another module,
        #  then that EAP type takes precedence over the
        #  default type configured here.
        #
        default_eap_type = tls

        #  A list is maintained to correlate EAP-Response
        #  packets with EAP-Request packets.  After a
        #  configurable length of time, entries in the list
        #  expire, and are deleted.
        #
        timer_expire     = 60

        #  There are many EAP types, but the server has support
        #  for only a limited subset.  If the server receives
        #  a request for an EAP type it does not support, then
        #  it normally rejects the request.  By setting this
        #  configuration to "yes", you can tell the server to
        #  instead keep processing the request.  Another module
        #  MUST then be configured to proxy the request to
        #  another RADIUS server which supports that EAP type.
        #
        #  If another module is NOT configured to handle the
        #  request, then the request will still end up being
        #  rejected.
        ignore_unknown_eap_types = no

        # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
        # a User-Name attribute in an Access-Accept, it copies one
        # more byte than it should.
        #
        # We can work around it by configurably adding an extra
        # zero byte.
        cisco_accounting_username_bug = no

        #
        #  Help prevent DoS attacks by limiting the number of
        #  sessions that the server is tracking.  Most systems
        #  can handle ~30 EAP sessions/s, so the default limit
        #  of 4096 should be OK.
        max_sessions = 4096

        # Supported EAP-types

        #
        #  We do NOT recommend using EAP-MD5 authentication
        #  for wireless connections.  It is insecure, and does
        #  not provide for dynamic WEP keys.
        #
md5{

        }

        # Cisco LEAP
        #
        #  We do not recommend using LEAP in new deployments.  See:
        #  http://www.securiteam.com/tools/5TP012ACKE.html
        #
        #  Cisco LEAP uses the MS-CHAP algorithm (but not
        #  the MS-CHAP attributes) to perform it's authentication.
        #
        #  As a result, LEAP *requires* access to the plain-text
        #  User-Password, or the NT-Password attributes.
        #  'System' authentication is impossible with LEAP.
        #
        leap {
        }

        #  Generic Token Card.
        #
        #  Currently, this is only permitted inside of EAP-TTLS,
        #  or EAP-PEAP.  The module "challenges" the user with
        #  text, and the response from the user is taken to be
        #  the User-Password.
        #
        #  Proxying the tunneled EAP-GTC session is a bad idea,
        #  the users password will go over the wire in plain-text,
        #  for anyone to see.
        #
        gtc {
            #  The default challenge, which many clients
            #  ignore..
            #challenge = "Password: "

            #  The plain-text response which comes back
            #  is put into a User-Password attribute,
            #  and passed to another module for
            #  authentication.  This allows the EAP-GTC
            #  response to be checked against plain-text,
            #  or crypt'd passwords.
            #
            #  If you say "Local" instead of "PAP", then
            #  the module will look for a User-Password
            #  configured for the request, and do the
            #  authentication itself.
            #
            auth_type = PAP
        }

        ## EAP-TLS
        #
        #  See raddb/certs/README for additional comments
        #  on certificates.
        #
        #  If OpenSSL was not found at the time the server was
        #  built, the "tls", "ttls", and "peap" sections will
        #  be ignored.
        #
        #  Otherwise, when the server first starts in debugging
        #  mode, test certificates will be created.  See the
        #  "make_cert_command" below for details, and the README
        #  file in raddb/certs
        #
        #  These test certificates SHOULD NOT be used in a normal
        #  deployment.  They are created only to make it easier
        #  to install the server, and to perform some simple
        #  tests with EAP-TLS, TTLS, or PEAP.
        #
        #  See also:
        #
        #  http://www.dslreports.com/forum/remark,9286052~mode=flat
        #
        #  Note that you should NOT use a globally known CA here!
        #  e.g. using a Verisign cert as a "known CA" means that
        #  ANYONE who has a certificate signed by them can
        #  authenticate via EAP-TLS!  This is likely not what you want.
        tls {
            #
            #  These is used to simplify later configurations.
            #
            certdir =/usr/local/openssl-certgen/ssl/certs

            cadir   =/usr/local/openssl-certgen/ssl/certs 

            certdir = ${confdir}/certs
            cadir   = ${confdir}/certs

            private_key_password = fergisuriel
            private_key_file = ${certdir}/serveur.pem

            #  If Private key & Certificate are located in
            #  the same file, then private_key_file &
            #  certificate_file must contain the same file
            #  name.
            #
            #  If CA_file (below) is not used, then the
            #  certificate_file below MUST include not
            #  only the server certificate, but ALSO all
            #  of the CA certificates used to sign the
            #  server certificate.
            certificate_file = /usr/local/openssl-certgen/ssl/certs/serveur.pem

            #  Trusted Root CA list
            #
            #  ALL of the CA's in this list will be trusted
            #  to issue client certificates for authentication.
            #
            #  In general, you should use self-signed
            #  certificates for 802.1x (EAP) authentication.
            #  In that case, this CA file should contain
            #  *one* CA certificate.
            #
            #  This parameter is used only for EAP-TLS,
            #  when you issue client certificates.  If you do
            #  not use client certificates, and you do not want
            #  to permit EAP-TLS authentication, then delete
            #  this configuration item.
            CA_file = /usr/local/openssl-certgen/ssl/certs/root.pem

            #
            #  For DH cipher suites to work, you have to
            #  run OpenSSL to create the DH file first:
            #
            #   openssl dhparam -out certs/dh 1024
            #
            dh_file = ${certdir}/dh

            #
            #  If your system doesn't have /dev/urandom,
            #  you will need to create this file, and
            #  periodically change its contents.
            #
            #  For security reasons, FreeRADIUS doesn't
            #  write to files in its configuration
            #  directory.
            #
            random_file = ${certdir}/random

            #
            #  This can never exceed the size of a RADIUS
            #  packet (4096 bytes), and is preferably half
            #  that, to accomodate other attributes in
            #  RADIUS packet.  On most APs the MAX packet
            #  length is configured between 1500 - 1600
            #  In these cases, fragment size should be
            #  1024 or less.
            #
                   fragment_size = 1024

            #  include_length is a flag which is
            #  by default set to yes If set to
            #  yes, Total Length of the message is
            #  included in EVERY packet we send.
            #  If set to no, Total Length of the
            #  message is included ONLY in the
            #  First packet of a fragment series.
            #
            include_length = yes

            #  Check the Certificate Revocation List
            #
            #  1) Copy CA certificates and CRLs to same directory.
            #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
            #    'c_rehash' is OpenSSL's command.
            #  3) uncomment the line below.
            #  5) Restart radiusd
        #   check_crl = yes
            CA_path = ${cadir}

               #
               #  If check_cert_issuer is set, the value will
               #  be checked against the DN of the issuer in
               #  the client certificate.  If the values do not
               #  match, the cerficate verification will fail,
               #  rejecting the user.
               #
               #  In 2.1.10 and later, this check can be done
               #  more generally by checking the value of the
               #  TLS-Client-Cert-Issuer attribute.  This check
               #  can be done via any mechanism you choose.
               #
        #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

               #
               #  If check_cert_cn is set, the value will
               #  be xlat'ed and checked against the CN
               #  in the client certificate.  If the values
               #  do not match, the certificate verification
               #  will fail rejecting the user.
               #
               #  This check is done only if the previous
               #  "check_cert_issuer" is not set, or if
               #  the check succeeds.
               #
               #  In 2.1.10 and later, this check can be done
               #  more generally by checking the value of the
               #  TLS-Client-Cert-CN attribute.  This check
               #  can be done via any mechanism you choose.
               #
                     check_cert_cn = %{User-Name}
        #
            # Set this option to specify the allowed
            # TLS cipher suites.  The format is listed
            # in "man 1 ciphers".
            cipher_list = "DEFAULT"

            #
            # As part of checking a client certificate, the EAP-TLS
            # sets some attributes such as TLS-Client-Cert-CN. This
            # virtual server has access to these attributes, and can
            # be used to accept or reject the request.
            #
        #   virtual_server = check-eap-tls

            # This command creates the initial "snake oil"
            # certificates when the server is run as root,
            # and via "radiusd -X".
            #
            # As of 2.1.11, it *also* checks the server
            # certificate for validity, including expiration.
            # This means that radiusd will refuse to start
            # when the certificate has expired.  The alternative
            # is to have the 802.1X clients refuse to connect
            # when they discover the certificate has expired.
            #
            # Debugging client issues is hard, so it's better
            # for the server to print out an error message,
            # and refuse to start.
            #
            make_cert_command = "${certdir}/bootstrap"

            #
            #  Elliptical cryptography configuration
            #
            #  Only for OpenSSL >= 0.9.8.f
            #
            ecdh_curve = "prime256v1"

            #
            #  Session resumption / fast reauthentication
            #  cache.
            #
            #  The cache contains the following information:
            #
            #  session Id - unique identifier, managed by SSL
            #  User-Name  - from the Access-Accept
            #  Stripped-User-Name - from the Access-Request
            #  Cached-Session-Policy - from the Access-Accept
            #
            #  The "Cached-Session-Policy" is the name of a
            #  policy which should be applied to the cached
            #  session.  This policy can be used to assign
            #  VLANs, IP addresses, etc.  It serves as a useful
            #  way to re-apply the policy from the original
            #  Access-Accept to the subsequent Access-Accept
            #  for the cached session.
            #
            #  On session resumption, these attributes are
            #  copied from the cache, and placed into the
            #  reply list.
            #
            #  You probably also want "use_tunneled_reply = yes"
            #  when using fast session resumption.
            #
            cache {
                  #
                  #  Enable it.  The default is "no".
                  #  Deleting the entire "cache" subsection
                  #  Also disables caching.
                  #
                  #  You can disallow resumption for a
                  #  particular user by adding the following
                  #  attribute to the control item list:
                  #
                  #     Allow-Session-Resumption = No
                  #
                  #  If "enable = no" below, you CANNOT
                  #  enable resumption for just one user
                  #  by setting the above attribute to "yes".
                  #
                  enable = no

                  #
                  #  Lifetime of the cached entries, in hours.
                  #  The sessions will be deleted after this
                  #  time.
                  #
                  lifetime = 24 # hours

                  #
                  #  The maximum number of entries in the
                  #  cache.  Set to "0" for "infinite".
                  #
                  #  This could be set to the number of users
                  #  who are logged in... which can be a LOT.
                  #
                  max_entries = 255
            }

            #
            #  As of version 2.1.10, client certificates can be
            #  validated via an external command.  This allows
            #  dynamic CRLs or OCSP to be used.
            #
            #  This configuration is commented out in the
            #  default configuration.  Uncomment it, and configure
            #  the correct paths below to enable it.
            #
            verify {
                #  A temporary directory where the client
                #  certificates are stored.  This directory
                #  MUST be owned by the UID of the server,
                #  and MUST not be accessible by any other
                #  users.  When the server starts, it will do
                #  "chmod go-rwx" on the directory, for
                #  security reasons.  The directory MUST
                #  exist when the server starts.
                #
                #  You should also delete all of the files
                #  in the directory when the server starts.
        #           tmpdir = /tmp/radiusd

                #  The command used to verify the client cert.
                #  We recommend using the OpenSSL command-line
                #  tool.
                #
                #  The ${..CA_path} text is a reference to
                #  the CA_path variable defined above.
                #
                #  The %{TLS-Client-Cert-Filename} is the name
                #  of the temporary file containing the cert
                #  in PEM format.  This file is automatically
                #  deleted by the server when the command
                #  returns.
        #           client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
            }

            #
            #  OCSP Configuration
            #  Certificates can be verified against an OCSP
            #  Responder. This makes it possible to immediately
            #  revoke certificates without the distribution of
            #  new Certificate Revokation Lists (CRLs).
            #
            ocsp {
                  #
                  #  Enable it.  The default is "no".
                  #  Deleting the entire "ocsp" subsection
                  #  Also disables ocsp checking
                  #
                  enable = no

                  #
                  #  The OCSP Responder URL can be automatically
                  #  extracted from the certificate in question.
                  #  To override the OCSP Responder URL set
                  #  "override_cert_url = yes". 
                  #
                  override_cert_url = yes

                  #
                  #  If the OCSP Responder address is not
                  #  extracted from the certificate, the
                  #  URL can be defined here.

                  #
                  #  Limitation: Currently the HTTP
                  #  Request is not sending the "Host: "
                  #  information to the web-server.  This
                  #  can be a problem if the OCSP
                  #  Responder is running as a vhost.
                  #
                  url = "http://127.0.0.1/ocsp/"

                  #
                  # If the OCSP Responder can not cope with nonce
                  # in the request, then it can be disabled here.
                  #
                  # For security reasons, disabling this option
                  # is not recommended as nonce protects against
                  # replay attacks.
                  #
                  # Note that Microsoft AD Certificate Services OCSP
                  # Responder does not enable nonce by default. It is
                  # more secure to enable nonce on the responder than
                  # to disable it in the query here.
                  # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
                  #
                  # use_nonce = yes

                  #
                  # Number of seconds before giving up waiting
                  # for OCSP response. 0 uses system default.
                  #
                  # timeout = 0

                  #
                  # Normally an error in querying the OCSP
                  # responder (no response from server, server did
                  # not understand the request, etc) will result in
                  # a validation failure.
                  #
                  # To treat these errors as 'soft' failures and
                  # still accept the certificate, enable this
                  # option.
                  # 
                  # Warning: this may enable clients with revoked
                  # certificates to connect if the OCSP responder
                  # is not available. Use with caution.
                  #
                  # softfail = no
            }
        }

        #  The TTLS module implements the EAP-TTLS protocol,
        #  which can be described as EAP inside of Diameter,
        #  inside of TLS, inside of EAP, inside of RADIUS...
        #
        #  Surprisingly, it works quite well.
        #
        #  The TTLS module needs the TLS module to be installed
        #  and configured, in order to use the TLS tunnel
        #  inside of the EAP packet.  You will still need to
        #  configure the TLS module, even if you do not want
        #  to deploy EAP-TLS in your network.  Users will not
        #  be able to request EAP-TLS, as it requires them to
        #  have a client certificate.  EAP-TTLS does not
        #  require a client certificate.
        #
        #  You can make TTLS require a client cert by setting
        #
        #   EAP-TLS-Require-Client-Cert = Yes
        #
        #  in the control items for a request.
        #
        ttls {
            #  The tunneled EAP session needs a default
            #  EAP type which is separate from the one for
            #  the non-tunneled EAP module.  Inside of the
            #  TTLS tunnel, we recommend using EAP-MD5.
            #  If the request does not contain an EAP
            #  conversation, then this configuration entry
            #  is ignored.
            default_eap_type = md5

            #  The tunneled authentication request does
            #  not usually contain useful attributes
            #  like 'Calling-Station-Id', etc.  These
            #  attributes are outside of the tunnel,
            #  and normally unavailable to the tunneled
            #  authentication request.
            #
            #  By setting this configuration entry to
            #  'yes', any attribute which NOT in the
            #  tunneled authentication request, but
            #  which IS available outside of the tunnel,
            #  is copied to the tunneled request.
            #
            # allowed values: {no, yes}
            copy_request_to_tunnel = no

            #  The reply attributes sent to the NAS are
            #  usually based on the name of the user
            #  'outside' of the tunnel (usually
            #  'anonymous').  If you want to send the
            #  reply attributes based on the user name
            #  inside of the tunnel, then set this
            #  configuration entry to 'yes', and the reply
            #  to the NAS will be taken from the reply to
            #  the tunneled request.
            #
            # allowed values: {no, yes}
            use_tunneled_reply = no

            #
            #  The inner tunneled request can be sent
            #  through a virtual server constructed
            #  specifically for this purpose.
            #
            #  If this entry is commented out, the inner
            #  tunneled request will be sent through
            #  the virtual server that processed the
            #  outer requests.
            #
            virtual_server = "inner-tunnel"

            #  This has the same meaning as the
            #  same field in the "tls" module, above.
            #  The default value here is "yes".
        #   include_length = yes
        }

        ##################################################
        #
        #  !!!!! WARNINGS for Windows compatibility  !!!!!
        #
        ##################################################
        #
        #  If you see the server send an Access-Challenge,
        #  and the client never sends another Access-Request,
        #  then
        #
        #       STOP!
        #
        #  The server certificate has to have special OID's
        #  in it, or else the Microsoft clients will silently
        #  fail.  See the "scripts/xpextensions" file for
        #  details, and the following page:
        #
        #   http://support.microsoft.com/kb/814394/en-us
        #
        #  For additional Windows XP SP2 issues, see:
        #
        #   http://support.microsoft.com/kb/885453/en-us
        #
        #
        #  If is still doesn't work, and you're using Samba,
        #  you may be encountering a Samba bug.  See:
        #
        #   https://bugzilla.samba.org/show_bug.cgi?id=6563
        #
        #  Note that we do not necessarily agree with their
        #  explanation... but the fix does appear to work.
        #
        ##################################################

        #
        #  The tunneled EAP session needs a default EAP type
        #  which is separate from the one for the non-tunneled
        #  EAP module.  Inside of the TLS/PEAP tunnel, we
        #  recommend using EAP-MS-CHAPv2.
        #
        #  The PEAP module needs the TLS module to be installed
        #  and configured, in order to use the TLS tunnel
        #  inside of the EAP packet.  You will still need to
        #  configure the TLS module, even if you do not want
        #  to deploy EAP-TLS in your network.  Users will not
        #  be able to request EAP-TLS, as it requires them to
        #  have a client certificate.  EAP-PEAP does not
        #  require a client certificate.
        #
        #
        #  You can make PEAP require a client cert by setting
        #
        #   EAP-TLS-Require-Client-Cert = Yes
        #
        #  in the control items for a request.
        #
        peap {
            #  The tunneled EAP session needs a default
            #  EAP type which is separate from the one for
            #  the non-tunneled EAP module.  Inside of the
            #  PEAP tunnel, we recommend using MS-CHAPv2,
            #  as that is the default type supported by
            #  Windows clients.
            default_eap_type = mschapv2

            #  the PEAP module also has these configuration
            #  items, which are the same as for TTLS.
            copy_request_to_tunnel = no
            use_tunneled_reply = no

            #  When the tunneled session is proxied, the
            #  home server may not understand EAP-MSCHAP-V2.
            #  Set this entry to "no" to proxy the tunneled
            #  EAP-MSCHAP-V2 as normal MSCHAPv2.
        #   proxy_tunneled_request_as_eap = yes

            #
            #  The inner tunneled request can be sent
            #  through a virtual server constructed
            #  specifically for this purpose.
            #
            #  If this entry is commented out, the inner
            #  tunneled request will be sent through
            #  the virtual server that processed the
            #  outer requests.
            #
            virtual_server = "inner-tunnel"

            # This option enables support for MS-SoH
            # see doc/SoH.txt for more info.
            # It is disabled by default.
            #
#           soh = yes

            #
            # The SoH reply will be turned into a request which
            # can be sent to a specific virtual server:
            #
#           soh_virtual_server = "soh-server"
        }

        #
        #  This takes no configuration.
        #
        #  Note that it is the EAP MS-CHAPv2 sub-module, not
        #  the main 'mschap' module.
        #
        #  Note also that in order for this sub-module to work,
        #  the main 'mschap' module MUST ALSO be configured.
        #
        #  This module is the *Microsoft* implementation of MS-CHAPv2
        #  in EAP.  There is another (incompatible) implementation
        #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
        #  currently support.
        #
        mschapv2 {
            #  Prior to version 2.1.11, the module never
            #  sent the MS-CHAP-Error message to the
            #  client.  This worked, but it had issues
            #  when the cached password was wrong.  The
            #  server *should* send "E=691 R=0" to the
            #  client, which tells it to prompt the user
            #  for a new password.
            #
            #  The default is to behave as in 2.1.10 and
            #  earlier, which is known to work.  If you
            #  set "send_error = yes", then the error
            #  message will be sent back to the client.
            #  This *may* help some clients work better,
            #  but *may* also cause other clients to stop
            #  working.
            #
#           send_error = no
        }
    }   

clients.conf

# -*- text -*-
##
## clients.conf -- client configuration directives
##
##  $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $

#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost{
    #  Allowed values are:
    #   dotted quad (1.2.3.4)
    #       hostname    (radius.example.com)
    ipaddr = 127.0.0.1

    #  OR, you can use an IPv6 address, but not both
    #  at the same time.
#   ipv6addr = ::   # any.  ::1 == localhost

    #
    #  A note on DNS:  We STRONGLY recommend using IP addresses
    #  rather than host names.  Using host names means that the
    #  server will do DNS lookups when it starts, making it
    #  dependent on DNS.  i.e. If anything goes wrong with DNS,
    #  the server won't start!
    #
    #  The server also looks up the IP address from DNS once, and
    #  only once, when it starts.  If the DNS record is later
    #  updated, the server WILL NOT see that update.
    #

    #  One client definition can be applied to an entire network.
    #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
    #  "netmask = 8"
    #
    #  If not specified, the default netmask is 32 (i.e. /32)
    #
    #  We do NOT recommend using anything other than 32.  There
    #  are usually other, better ways to achieve the same goal.
    #  Using netmasks of other than 32 can cause security issues.
    #
    #  You can specify overlapping networks (127/8 and 127.0/16)
    #  In that case, the smallest possible network will be used
    #  as the "best match" for the client.
    #
    #  Clients can also be defined dynamically at run time, based
    #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
    #  etc.
    #  See raddb/sites-available/dynamic-clients for details.
    #

#   netmask = 32

    #
    #  The shared secret use to "encrypt" and "sign" packets between
    #  the NAS and FreeRADIUS.  You MUST change this secret from the
    #  default, otherwise it's not a secret any more!
    #
    #  The secret can be any string, up to 8k characters in length.
    #
    #  Control codes can be entered vi octal encoding,
    #   e.g. "\101\102" == "AB"
    #  Quotation marks can be entered by escaping them,
    #   e.g. "foo\"bar"
    #
    #  A note on security:  The security of the RADIUS protocol
    #  depends COMPLETELY on this secret!  We recommend using a
    #  shared secret that is composed of:
    #
    #   upper case letters
    #   lower case letters
    #   numbers
    #
    #  And is at LEAST 8 characters long, preferably 16 characters in
    #  length.  The secret MUST be random, and should not be words,
    #  phrase, or anything else that is recognizable.
    #
    #  The default secret below is only for testing, and should
    #  not be used in any real environment.
    #
    secret      = testing123

    #
    #  Old-style clients do not send a Message-Authenticator
    #  in an Access-Request.  RFC 5080 suggests that all clients
    #  SHOULD include it in an Access-Request.  The configuration
    #  item below allows the server to require it.  If a client
    #  is required to include a Message-Authenticator and it does
    #  not, then the packet will be silently discarded.
    #
    #  allowed values: yes, no
    require_message_authenticator = no

    #
    #  The short name is used as an alias for the fully qualified
    #  domain name, or the IP address.
    #
    #  It is accepted for compatibility with 1.x, but it is no
    #  longer necessary in 2.0
    #
                 shortname = localhost

    #
    # the following three fields are optional, but may be used by
    # checkrad.pl for simultaneous use checks
    #

    #
    # The nastype tells 'checkrad.pl' which NAS-specific method to
    #  use to query the NAS for simultaneous use.
    #
    #  Permitted NAS types are:
    #
    #   cisco
    #   computone
    #   livingston
    #   juniper
    #   max40xx
    #   multitech
    #   netserver
    #   pathras
    #   patton
    #   portslave
    #   tc
    #   usrhiper
    #   other       # for all other types

    #
    nastype     = other

               # localhost isn't usually a NAS...

    #
    #  The following two configurations are for future use.
    #  The 'naspasswd' file is currently used to store the NAS
    #  login name and password, which is used by checkrad.pl
    #  when querying the NAS for simultaneous use.
    #
#   login       = !root
#   password    = someadminpas

    #
    #  As of 2.0, clients can also be tied to a virtual server.
    #  This is done by setting the "virtual_server" configuration
    #  item, as in the example below.
    #
#   virtual_server = home1

    #
    #  A pointer to the "home_server_pool" OR a "home_server"
    #  section that contains the CoA configuration for this
    #  client.  For an example of a coa home server or pool,
    #  see raddb/sites-available/originate-coa
#   coa_server = coa
}

# IPv6 Client
#client ::1 {
#   secret      = testing123
#   shortname   = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
#   secret      = testing123
#   shortname   = localhost
#}

#client some.host.org {
#   secret      = testing123
#   shortname   = localhost
#}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#   secret      = testing123-1
#   shortname   = private-network-1
#}
#
#client 192.168.0.0/16 {
#   secret      = testing123-2
#   shortname   = private-network-2
#}


client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}





#client 10.10.10.10 {
#   # secret and password are mapped through the "secrets" file.
#   secret      = testing123
#   shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#   nastype     = livingston
#   login       = !root
#   password    = someadminpas
#}

#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#   client 192.168.3.4 {
#       secret = testing123
#        }
#}


---radiusd.conf (j'ai pas modifiee le fichier)

----users # fergis Auth-Type := local, User-Password == "fergisuriel"

#
#   Please read the documentation file ../doc/processing_users_file,
#   or 'man 5 users' (after installing the server) for more information.
#
#   This file contains authentication security and configuration
#   information for each user.  Accounting requests are NOT processed
#   through this file.  Instead, see 'acct_users', in this directory.
#
#   The first field is the user's name and can be up to
#   253 characters in length.  This is followed (on the same line) with
#   the list of authentication requirements for that user.  This can
#   include password, comm server name, comm server port number, protocol
#   type (perhaps set by the "hints" file), and huntgroup name (set by
#   the "huntgroups" file).
#
#   If you are not sure why a particular reply is being sent by the
#   server, then run the server in debugging mode (radiusd -X), and
#   you will see which entries in this file are matched.
#
#   When an authentication request is received from the comm server,
#   these values are tested. Only the first match is used unless the
#   "Fall-Through" variable is set to "Yes".
#
#   A special user named "DEFAULT" matches on all usernames.
#   You can have several DEFAULT entries. All entries are processed
#   in the order they appear in this file. The first entry that
#   matches the login-request will stop processing unless you use
#   the Fall-Through variable.
#
#   If you use the database support to turn this file into a .db or .dbm
#   file, the DEFAULT entries _have_ to be at the end of this file and
#   you can't have multiple entries for one username.
#
#   Indented (with the tab character) lines following the first
#   line indicate the configuration values to be passed back to
#   the comm server to allow the initiation of a user session.
#   This can include things like the PPP configuration values
#   or the host to log the user onto.
#
#   You can include another `users' file with `$INCLUDE users.other'
#

#
#   For a list of RADIUS attributes, and links to their definitions,
#   see:
#
#   http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user.  Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
        "localhost" Auth-Type := EAP
    "localhost"  cleartext-password := "fergisuriel"
#       Reply-Message = "Your account has been disabled."

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT    Group == "disabled", Auth-Type := Reject
#       Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve  Cleartext-Password := "testing"
#   Service-Type = Framed-User,
#   Framed-Protocol = PPP,
#   Framed-IP-Address = 172.16.3.33,
#   Framed-IP-Netmask = 255.255.255.0,
#   Framed-Routing = Broadcast-Listen,
#   Framed-Filter-Id = "std.ppp",
#   Framed-MTU = 1500,
#   Framed-Compression = Van-Jacobsen-TCP-IP

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Cleartext-Password := "hello"
#       Reply-Message = "Hello, %{User-Name}"

#
# Dial user back and telnet to the default host for that port
#
#Deg    Cleartext-Password := "ge55ged"
#   Service-Type = Callback-Login-User,
#   Login-IP-Host = 0.0.0.0,
#   Callback-Number = "9,5551212",
#   Login-Service = Telnet,
#   Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
#   Service-Type = Callback-Login-User,
#   Login-IP-Host = timeshare1,
#   Login-Service = PortMaster,
#   Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#       Framed-IP-Address = 192.168.1.65,
#       Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT    Suffix == ".shell"
#       Service-Type = Login-User,
#       Login-Service = Telnet,
#       Login-IP-Host = your.shell.machine


#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#       Framed-IP-Address = 192.168.1.32+,
#       Fall-Through = Yes

#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "delft"
#       Framed-IP-Address = 192.168.2.32+,
#       Fall-Through = Yes

#
# Sample defaults for all framed connections.
#
#DEFAULT    Service-Type == Framed-User
#   Framed-IP-Address = 255.255.255.254,
#   Framed-MTU = 576,
#   Service-Type = Framed-User,
#   Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#   by the terminal server in which case there may not be a "P" suffix.
#   The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
    Framed-Protocol = PPP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
    Framed-Protocol = SLIP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
    Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#   Service-Type = Login-User,
#   Login-Service = Rlogin,
#   Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
#   Service-Type = Administrative-User

# On no match, the user is denied access.

      ok jespere que tu auras pas les mots de tete avec tout ca. merci

      • [^] # Re: Et pour comprendre :

        Posté par  . Évalué à 2.

        Hello,

        Je ne connais pas Freeradius et si j'en ai entendu parlé, j'ai du oublier rapidement.
        Je voulais surtout t'aider à mieux formuler ta demande pour obtenir une réponse ;-)

        En cherchant sur google freeradius 2.2 Errors parsing authenticate section

        J'ai trouvé ça

        radiusd -X is the wrong way to start freeradius and will result in the error you showed you must start it with -d /jffs/etc/freeradius

        http://svn.dd-wrt.com/ticket/4099.

        Quand j'ai un message d'erreur sur plusieurs lignes, je cherche chaque ligne dans un moteur de recherche et en général je trouve des infos pertinente.
        Je commence par chercher la dernière ligne, puis si rien ne me paraît pertinent, alors je cherche l'avant dernière ligne etc…

        Bonne chance dans tes travaux, je ne pourrais malheureusement pas t'accompagner plus loin, ne connaissant pas le logiciel ni le type d'utilisation qu'on peut en faire.

        ++

        Julien_c'est_bien (y'a pas que Seb)

Suivre le flux des commentaires

Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.