Forum Linux.debian/ubuntu erreur radius

Posté par avakpa le 30 juillet 2016 à 15:32. Licence CC By‑SA.

Étiquettes : aucune

-12

juil.

2016

including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
    allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
    name = "radiusd"
    prefix = "/usr/local"
    localstatedir = "/usr/local/var"
    sbindir = "/usr/local/sbin"
    logdir = "/usr/local/var/log/radius"
    run_dir = "/usr/local/var/run/radiusd"
    libdir = "/usr/local/lib"
    radacctdir = "/usr/local/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    require_message_authenticator = yes
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
  coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
  }
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
 client 127.0.0.1 {
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
WARNING: Ignoring duplicate client 127.0.0.1
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
    timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = no
    allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
  unix {
    radwtmp = "/usr/local/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
  eap {
    default_eap_type = "tls"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/usr/local/openssl-certgen/ssl/certs"
    pem_file_type = yes
    private_key_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    certificate_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    CA_file = "/usr/local/openssl-certgen/ssl/certs/root.pem"
    private_key_password = "fergisuriel"
    dh_file = "/usr/local/openssl-certgen/ssl/certs/dh"
    random_file = "/usr/local/openssl-certgen/ssl/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    check_cert_cn = "%{User-Name}"
    cipher_list = "DEFAULT"
    make_cert_command = "/usr/local/openssl-certgen/ssl/certs/bootstrap"
    ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
root@fredy:/usr/local/etc/raddb# ^C
root@fredy:/usr/local/etc/raddb# clear

root@fredy:/usr/local/etc/raddb# radiusd -X
radiusd: FreeRADIUS Version 2.2.2, for host x86_64-unknown-linux-gnu, built on Nov 11 2015 at 16:12:24
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/cache
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
    allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
    name = "radiusd"
    prefix = "/usr/local"
    localstatedir = "/usr/local/var"
    sbindir = "/usr/local/sbin"
    logdir = "/usr/local/var/log/radius"
    run_dir = "/usr/local/var/run/radiusd"
    libdir = "/usr/local/lib"
    radacctdir = "/usr/local/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    require_message_authenticator = yes
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
  coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
  }
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
 client 127.0.0.1 {
    require_message_authenticator = no
    secret = "testing123"
    shortname = "localhost"
    nastype = "other"
 }
WARNING: Ignoring duplicate client 127.0.0.1
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
    timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = no
    allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
  unix {
    radwtmp = "/usr/local/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
  eap {
    default_eap_type = "tls"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/usr/local/openssl-certgen/ssl/certs"
    pem_file_type = yes
    private_key_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    certificate_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
    CA_file = "/usr/local/openssl-certgen/ssl/certs/root.pem"
    private_key_password = "fergisuriel"
    dh_file = "/usr/local/openssl-certgen/ssl/certs/dh"
    random_file = "/usr/local/openssl-certgen/ssl/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    check_cert_cn = "%{User-Name}"
    cipher_list = "DEFAULT"
    make_cert_command = "/usr/local/openssl-certgen/ssl/certs/bootstrap"
    ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
root@fredy:/usr/local/etc/raddb#

# Certificat

Posté par Marotte ⛧ le 30 juillet 2016 à 16:44. Évalué à 5.

Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem

J’y connais pas grand chose mais comme ça je dirais qu’il et nécessaire que tu génères un certificat pour SSL ce que tu n’as à priori pas fait. C’est là dessus que porterait ma recherche si j’étais à ta place.

C’est peut-être ça qui provoque l’erreur suivante : Errors parsing authenticate section.

Comme d’autres personnes te l’ont dit : décris ce que tu cherches à faire, quelles sont les modifications que tu as apporté au fichier, etc…

Là en l’état ça donne pas envie d’aider.

[^] # Re: Certificat

Posté par avakpa le 30 juillet 2016 à 17:04. Évalué à 0. Dernière modification le 30 juillet 2016 à 17:57.

~~OS et logiciels impliques
- Linux debian wheezy 7.0.0 amd 64 pour le serveur
- Windows XP, 7 pour les postes clients
- openssl-1.0.0s.tar.gz
- freeradius-server-2.2.2 .tar.gz

ce que je veux faire:Contribution à l’amélioration de la sécurité d’un réseau wifi au moyen d'un serveur d’authentification RADIUS sous Debian

le problème:quand je lance la commande radiusd -x je reçois vers la fin un message d'erreur que voici :

rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.

or j'ai compilé tous les certificats (xpextensions, CA.root, CA.svr, CA.clt) dans le dossier « /usr/local/openssl-certgen/ssl/certs » ce qui me donne les fichiers demoCA fergis.der fergis.p12 fergis.pem newcert.pem root.der root.p12 root.pem serveur.der serveur.p12 serveur.pem xpextensions

a noter qu'ici le client=fergis

/usr/local/etc/raddb# ce dossier contient les fichiers eap.conf ; clients.conf; radiusd.conf et users que j'ai modifié .

un apercu: eap.conf

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##  $Id: d2c2b658bed01c345e9e34d7420a5d0e5541eeae $

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#  EAP types NOT listed here may be supported via the "eap2" module.
#  See experimental.conf for documentation.
#
    eap {
        #  Invoke the default supported EAP type when
        #  EAP-Identity response is received.
        #
        #  The incoming EAP messages DO NOT specify which EAP
        #  type they will be using, so it MUST be set here.
        #
        #  For now, only one default EAP type may be used at a time.
        #
        #  If the EAP-Type attribute is set by another module,
        #  then that EAP type takes precedence over the
        #  default type configured here.
        #
        default_eap_type = tls

        #  A list is maintained to correlate EAP-Response
        #  packets with EAP-Request packets.  After a
        #  configurable length of time, entries in the list
        #  expire, and are deleted.
        #
        timer_expire     = 60

        #  There are many EAP types, but the server has support
        #  for only a limited subset.  If the server receives
        #  a request for an EAP type it does not support, then
        #  it normally rejects the request.  By setting this
        #  configuration to "yes", you can tell the server to
        #  instead keep processing the request.  Another module
        #  MUST then be configured to proxy the request to
        #  another RADIUS server which supports that EAP type.
        #
        #  If another module is NOT configured to handle the
        #  request, then the request will still end up being
        #  rejected.
        ignore_unknown_eap_types = no

        # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
        # a User-Name attribute in an Access-Accept, it copies one
        # more byte than it should.
        #
        # We can work around it by configurably adding an extra
        # zero byte.
        cisco_accounting_username_bug = no

        #
        #  Help prevent DoS attacks by limiting the number of
        #  sessions that the server is tracking.  Most systems
        #  can handle ~30 EAP sessions/s, so the default limit
        #  of 4096 should be OK.
        max_sessions = 4096

        # Supported EAP-types

        #
        #  We do NOT recommend using EAP-MD5 authentication
        #  for wireless connections.  It is insecure, and does
        #  not provide for dynamic WEP keys.
        #
md5{

        }

        # Cisco LEAP
        #
        #  We do not recommend using LEAP in new deployments.  See:
        #  http://www.securiteam.com/tools/5TP012ACKE.html
        #
        #  Cisco LEAP uses the MS-CHAP algorithm (but not
        #  the MS-CHAP attributes) to perform it's authentication.
        #
        #  As a result, LEAP *requires* access to the plain-text
        #  User-Password, or the NT-Password attributes.
        #  'System' authentication is impossible with LEAP.
        #
        leap {
        }

        #  Generic Token Card.
        #
        #  Currently, this is only permitted inside of EAP-TTLS,
        #  or EAP-PEAP.  The module "challenges" the user with
        #  text, and the response from the user is taken to be
        #  the User-Password.
        #
        #  Proxying the tunneled EAP-GTC session is a bad idea,
        #  the users password will go over the wire in plain-text,
        #  for anyone to see.
        #
        gtc {
            #  The default challenge, which many clients
            #  ignore..
            #challenge = "Password: "

            #  The plain-text response which comes back
            #  is put into a User-Password attribute,
            #  and passed to another module for
            #  authentication.  This allows the EAP-GTC
            #  response to be checked against plain-text,
            #  or crypt'd passwords.
            #
            #  If you say "Local" instead of "PAP", then
            #  the module will look for a User-Password
            #  configured for the request, and do the
            #  authentication itself.
            #
            auth_type = PAP
        }

        ## EAP-TLS
        #
        #  See raddb/certs/README for additional comments
        #  on certificates.
        #
        #  If OpenSSL was not found at the time the server was
        #  built, the "tls", "ttls", and "peap" sections will
        #  be ignored.
        #
        #  Otherwise, when the server first starts in debugging
        #  mode, test certificates will be created.  See the
        #  "make_cert_command" below for details, and the README
        #  file in raddb/certs
        #
        #  These test certificates SHOULD NOT be used in a normal
        #  deployment.  They are created only to make it easier
        #  to install the server, and to perform some simple
        #  tests with EAP-TLS, TTLS, or PEAP.
        #
        #  See also:
        #
        #  http://www.dslreports.com/forum/remark,9286052~mode=flat
        #
        #  Note that you should NOT use a globally known CA here!
        #  e.g. using a Verisign cert as a "known CA" means that
        #  ANYONE who has a certificate signed by them can
        #  authenticate via EAP-TLS!  This is likely not what you want.
        tls {
            #
            #  These is used to simplify later configurations.
            #
            certdir =/usr/local/openssl-certgen/ssl/certs

            cadir   =/usr/local/openssl-certgen/ssl/certs 

            certdir = ${confdir}/certs
            cadir   = ${confdir}/certs

            private_key_password = fergisuriel
            private_key_file = ${certdir}/serveur.pem

            #  If Private key & Certificate are located in
            #  the same file, then private_key_file &
            #  certificate_file must contain the same file
            #  name.
            #
            #  If CA_file (below) is not used, then the
            #  certificate_file below MUST include not
            #  only the server certificate, but ALSO all
            #  of the CA certificates used to sign the
            #  server certificate.
            certificate_file = /usr/local/openssl-certgen/ssl/certs/serveur.pem

            #  Trusted Root CA list
            #
            #  ALL of the CA's in this list will be trusted
            #  to issue client certificates for authentication.
            #
            #  In general, you should use self-signed
            #  certificates for 802.1x (EAP) authentication.
            #  In that case, this CA file should contain
            #  *one* CA certificate.
            #
            #  This parameter is used only for EAP-TLS,
            #  when you issue client certificates.  If you do
            #  not use client certificates, and you do not want
            #  to permit EAP-TLS authentication, then delete
            #  this configuration item.
            CA_file = /usr/local/openssl-certgen/ssl/certs/root.pem

            #
            #  For DH cipher suites to work, you have to
            #  run OpenSSL to create the DH file first:
            #
            #   openssl dhparam -out certs/dh 1024
            #
            dh_file = ${certdir}/dh

            #
            #  If your system doesn't have /dev/urandom,
            #  you will need to create this file, and
            #  periodically change its contents.
            #
            #  For security reasons, FreeRADIUS doesn't
            #  write to files in its configuration
            #  directory.
            #
            random_file = ${certdir}/random

            #
            #  This can never exceed the size of a RADIUS
            #  packet (4096 bytes), and is preferably half
            #  that, to accomodate other attributes in
            #  RADIUS packet.  On most APs the MAX packet
            #  length is configured between 1500 - 1600
            #  In these cases, fragment size should be
            #  1024 or less.
            #
                   fragment_size = 1024

            #  include_length is a flag which is
            #  by default set to yes If set to
            #  yes, Total Length of the message is
            #  included in EVERY packet we send.
            #  If set to no, Total Length of the
            #  message is included ONLY in the
            #  First packet of a fragment series.
            #
            include_length = yes

            #  Check the Certificate Revocation List
            #
            #  1) Copy CA certificates and CRLs to same directory.
            #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
            #    'c_rehash' is OpenSSL's command.
            #  3) uncomment the line below.
            #  5) Restart radiusd
        #   check_crl = yes
            CA_path = ${cadir}

               #
               #  If check_cert_issuer is set, the value will
               #  be checked against the DN of the issuer in
               #  the client certificate.  If the values do not
               #  match, the cerficate verification will fail,
               #  rejecting the user.
               #
               #  In 2.1.10 and later, this check can be done
               #  more generally by checking the value of the
               #  TLS-Client-Cert-Issuer attribute.  This check
               #  can be done via any mechanism you choose.
               #
        #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

               #
               #  If check_cert_cn is set, the value will
               #  be xlat'ed and checked against the CN
               #  in the client certificate.  If the values
               #  do not match, the certificate verification
               #  will fail rejecting the user.
               #
               #  This check is done only if the previous
               #  "check_cert_issuer" is not set, or if
               #  the check succeeds.
               #
               #  In 2.1.10 and later, this check can be done
               #  more generally by checking the value of the
               #  TLS-Client-Cert-CN attribute.  This check
               #  can be done via any mechanism you choose.
               #
                     check_cert_cn = %{User-Name}
        #
            # Set this option to specify the allowed
            # TLS cipher suites.  The format is listed
            # in "man 1 ciphers".
            cipher_list = "DEFAULT"

            #
            # As part of checking a client certificate, the EAP-TLS
            # sets some attributes such as TLS-Client-Cert-CN. This
            # virtual server has access to these attributes, and can
            # be used to accept or reject the request.
            #
        #   virtual_server = check-eap-tls

            # This command creates the initial "snake oil"
            # certificates when the server is run as root,
            # and via "radiusd -X".
            #
            # As of 2.1.11, it *also* checks the server
            # certificate for validity, including expiration.
            # This means that radiusd will refuse to start
            # when the certificate has expired.  The alternative
            # is to have the 802.1X clients refuse to connect
            # when they discover the certificate has expired.
            #
            # Debugging client issues is hard, so it's better
            # for the server to print out an error message,
            # and refuse to start.
            #
            make_cert_command = "${certdir}/bootstrap"

            #
            #  Elliptical cryptography configuration
            #
            #  Only for OpenSSL >= 0.9.8.f
            #
            ecdh_curve = "prime256v1"

            #
            #  Session resumption / fast reauthentication
            #  cache.
            #
            #  The cache contains the following information:
            #
            #  session Id - unique identifier, managed by SSL
            #  User-Name  - from the Access-Accept
            #  Stripped-User-Name - from the Access-Request
            #  Cached-Session-Policy - from the Access-Accept
            #
            #  The "Cached-Session-Policy" is the name of a
            #  policy which should be applied to the cached
            #  session.  This policy can be used to assign
            #  VLANs, IP addresses, etc.  It serves as a useful
            #  way to re-apply the policy from the original
            #  Access-Accept to the subsequent Access-Accept
            #  for the cached session.
            #
            #  On session resumption, these attributes are
            #  copied from the cache, and placed into the
            #  reply list.
            #
            #  You probably also want "use_tunneled_reply = yes"
            #  when using fast session resumption.
            #
            cache {
                  #
                  #  Enable it.  The default is "no".
                  #  Deleting the entire "cache" subsection
                  #  Also disables caching.
                  #
                  #  You can disallow resumption for a
                  #  particular user by adding the following
                  #  attribute to the control item list:
                  #
                  #     Allow-Session-Resumption = No
                  #
                  #  If "enable = no" below, you CANNOT
                  #  enable resumption for just one user
                  #  by setting the above attribute to "yes".
                  #
                  enable = no

                  #
                  #  Lifetime of the cached entries, in hours.
                  #  The sessions will be deleted after this
                  #  time.
                  #
                  lifetime = 24 # hours

                  #
                  #  The maximum number of entries in the
                  #  cache.  Set to "0" for "infinite".
                  #
                  #  This could be set to the number of users
                  #  who are logged in... which can be a LOT.
                  #
                  max_entries = 255
            }

            #
            #  As of version 2.1.10, client certificates can be
            #  validated via an external command.  This allows
            #  dynamic CRLs or OCSP to be used.
            #
            #  This configuration is commented out in the
            #  default configuration.  Uncomment it, and configure
            #  the correct paths below to enable it.
            #
            verify {
                #  A temporary directory where the client
                #  certificates are stored.  This directory
                #  MUST be owned by the UID of the server,
                #  and MUST not be accessible by any other
                #  users.  When the server starts, it will do
                #  "chmod go-rwx" on the directory, for
                #  security reasons.  The directory MUST
                #  exist when the server starts.
                #
                #  You should also delete all of the files
                #  in the directory when the server starts.
        #           tmpdir = /tmp/radiusd

                #  The command used to verify the client cert.
                #  We recommend using the OpenSSL command-line
                #  tool.
                #
                #  The ${..CA_path} text is a reference to
                #  the CA_path variable defined above.
                #
                #  The %{TLS-Client-Cert-Filename} is the name
                #  of the temporary file containing the cert
                #  in PEM format.  This file is automatically
                #  deleted by the server when the command
                #  returns.
        #           client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
            }

            #
            #  OCSP Configuration
            #  Certificates can be verified against an OCSP
            #  Responder. This makes it possible to immediately
            #  revoke certificates without the distribution of
            #  new Certificate Revokation Lists (CRLs).
            #
            ocsp {
                  #
                  #  Enable it.  The default is "no".
                  #  Deleting the entire "ocsp" subsection
                  #  Also disables ocsp checking
                  #
                  enable = no

                  #
                  #  The OCSP Responder URL can be automatically
                  #  extracted from the certificate in question.
                  #  To override the OCSP Responder URL set
                  #  "override_cert_url = yes". 
                  #
                  override_cert_url = yes

                  #
                  #  If the OCSP Responder address is not
                  #  extracted from the certificate, the
                  #  URL can be defined here.

                  #
                  #  Limitation: Currently the HTTP
                  #  Request is not sending the "Host: "
                  #  information to the web-server.  This
                  #  can be a problem if the OCSP
                  #  Responder is running as a vhost.
                  #
                  url = "http://127.0.0.1/ocsp/"

                  #
                  # If the OCSP Responder can not cope with nonce
                  # in the request, then it can be disabled here.
                  #
                  # For security reasons, disabling this option
                  # is not recommended as nonce protects against
                  # replay attacks.
                  #
                  # Note that Microsoft AD Certificate Services OCSP
                  # Responder does not enable nonce by default. It is
                  # more secure to enable nonce on the responder than
                  # to disable it in the query here.
                  # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
                  #
                  # use_nonce = yes

                  #
                  # Number of seconds before giving up waiting
                  # for OCSP response. 0 uses system default.
                  #
                  # timeout = 0

                  #
                  # Normally an error in querying the OCSP
                  # responder (no response from server, server did
                  # not understand the request, etc) will result in
                  # a validation failure.
                  #
                  # To treat these errors as 'soft' failures and
                  # still accept the certificate, enable this
                  # option.
                  # 
                  # Warning: this may enable clients with revoked
                  # certificates to connect if the OCSP responder
                  # is not available. Use with caution.
                  #
                  # softfail = no
            }
        }

        #  The TTLS module implements the EAP-TTLS protocol,
        #  which can be described as EAP inside of Diameter,
        #  inside of TLS, inside of EAP, inside of RADIUS...
        #
        #  Surprisingly, it works quite well.
        #
        #  The TTLS module needs the TLS module to be installed
        #  and configured, in order to use the TLS tunnel
        #  inside of the EAP packet.  You will still need to
        #  configure the TLS module, even if you do not want
        #  to deploy EAP-TLS in your network.  Users will not
        #  be able to request EAP-TLS, as it requires them to
        #  have a client certificate.  EAP-TTLS does not
        #  require a client certificate.
        #
        #  You can make TTLS require a client cert by setting
        #
        #   EAP-TLS-Require-Client-Cert = Yes
        #
        #  in the control items for a request.
        #
        ttls {
            #  The tunneled EAP session needs a default
            #  EAP type which is separate from the one for
            #  the non-tunneled EAP module.  Inside of the
            #  TTLS tunnel, we recommend using EAP-MD5.
            #  If the request does not contain an EAP
            #  conversation, then this configuration entry
            #  is ignored.
            default_eap_type = md5

            #  The tunneled authentication request does
            #  not usually contain useful attributes
            #  like 'Calling-Station-Id', etc.  These
            #  attributes are outside of the tunnel,
            #  and normally unavailable to the tunneled
            #  authentication request.
            #
            #  By setting this configuration entry to
            #  'yes', any attribute which NOT in the
            #  tunneled authentication request, but
            #  which IS available outside of the tunnel,
            #  is copied to the tunneled request.
            #
            # allowed values: {no, yes}
            copy_request_to_tunnel = no

            #  The reply attributes sent to the NAS are
            #  usually based on the name of the user
            #  'outside' of the tunnel (usually
            #  'anonymous').  If you want to send the
            #  reply attributes based on the user name
            #  inside of the tunnel, then set this
            #  configuration entry to 'yes', and the reply
            #  to the NAS will be taken from the reply to
            #  the tunneled request.
            #
            # allowed values: {no, yes}
            use_tunneled_reply = no

            #
            #  The inner tunneled request can be sent
            #  through a virtual server constructed
            #  specifically for this purpose.
            #
            #  If this entry is commented out, the inner
            #  tunneled request will be sent through
            #  the virtual server that processed the
            #  outer requests.
            #
            virtual_server = "inner-tunnel"

            #  This has the same meaning as the
            #  same field in the "tls" module, above.
            #  The default value here is "yes".
        #   include_length = yes
        }

        ##################################################
        #
        #  !!!!! WARNINGS for Windows compatibility  !!!!!
        #
        ##################################################
        #
        #  If you see the server send an Access-Challenge,
        #  and the client never sends another Access-Request,
        #  then
        #
        #       STOP!
        #
        #  The server certificate has to have special OID's
        #  in it, or else the Microsoft clients will silently
        #  fail.  See the "scripts/xpextensions" file for
        #  details, and the following page:
        #
        #   http://support.microsoft.com/kb/814394/en-us
        #
        #  For additional Windows XP SP2 issues, see:
        #
        #   http://support.microsoft.com/kb/885453/en-us
        #
        #
        #  If is still doesn't work, and you're using Samba,
        #  you may be encountering a Samba bug.  See:
        #
        #   https://bugzilla.samba.org/show_bug.cgi?id=6563
        #
        #  Note that we do not necessarily agree with their
        #  explanation... but the fix does appear to work.
        #
        ##################################################

        #
        #  The tunneled EAP session needs a default EAP type
        #  which is separate from the one for the non-tunneled
        #  EAP module.  Inside of the TLS/PEAP tunnel, we
        #  recommend using EAP-MS-CHAPv2.
        #
        #  The PEAP module needs the TLS module to be installed
        #  and configured, in order to use the TLS tunnel
        #  inside of the EAP packet.  You will still need to
        #  configure the TLS module, even if you do not want
        #  to deploy EAP-TLS in your network.  Users will not
        #  be able to request EAP-TLS, as it requires them to
        #  have a client certificate.  EAP-PEAP does not
        #  require a client certificate.
        #
        #
        #  You can make PEAP require a client cert by setting
        #
        #   EAP-TLS-Require-Client-Cert = Yes
        #
        #  in the control items for a request.
        #
        peap {
            #  The tunneled EAP session needs a default
            #  EAP type which is separate from the one for
            #  the non-tunneled EAP module.  Inside of the
            #  PEAP tunnel, we recommend using MS-CHAPv2,
            #  as that is the default type supported by
            #  Windows clients.
            default_eap_type = mschapv2

            #  the PEAP module also has these configuration
            #  items, which are the same as for TTLS.
            copy_request_to_tunnel = no
            use_tunneled_reply = no

            #  When the tunneled session is proxied, the
            #  home server may not understand EAP-MSCHAP-V2.
            #  Set this entry to "no" to proxy the tunneled
            #  EAP-MSCHAP-V2 as normal MSCHAPv2.
        #   proxy_tunneled_request_as_eap = yes

            #
            #  The inner tunneled request can be sent
            #  through a virtual server constructed
            #  specifically for this purpose.
            #
            #  If this entry is commented out, the inner
            #  tunneled request will be sent through
            #  the virtual server that processed the
            #  outer requests.
            #
            virtual_server = "inner-tunnel"

            # This option enables support for MS-SoH
            # see doc/SoH.txt for more info.
            # It is disabled by default.
            #
#           soh = yes

            #
            # The SoH reply will be turned into a request which
            # can be sent to a specific virtual server:
            #
#           soh_virtual_server = "soh-server"
        }

        #
        #  This takes no configuration.
        #
        #  Note that it is the EAP MS-CHAPv2 sub-module, not
        #  the main 'mschap' module.
        #
        #  Note also that in order for this sub-module to work,
        #  the main 'mschap' module MUST ALSO be configured.
        #
        #  This module is the *Microsoft* implementation of MS-CHAPv2
        #  in EAP.  There is another (incompatible) implementation
        #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
        #  currently support.
        #
        mschapv2 {
            #  Prior to version 2.1.11, the module never
            #  sent the MS-CHAP-Error message to the
            #  client.  This worked, but it had issues
            #  when the cached password was wrong.  The
            #  server *should* send "E=691 R=0" to the
            #  client, which tells it to prompt the user
            #  for a new password.
            #
            #  The default is to behave as in 2.1.10 and
            #  earlier, which is known to work.  If you
            #  set "send_error = yes", then the error
            #  message will be sent back to the client.
            #  This *may* help some clients work better,
            #  but *may* also cause other clients to stop
            #  working.
            #
#           send_error = no
        }
    }   

clients.conf

# -*- text -*-
##
## clients.conf -- client configuration directives
##
##  $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $

#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost{
    #  Allowed values are:
    #   dotted quad (1.2.3.4)
    #       hostname    (radius.example.com)
    ipaddr = 127.0.0.1

    #  OR, you can use an IPv6 address, but not both
    #  at the same time.
#   ipv6addr = ::   # any.  ::1 == localhost

    #
    #  A note on DNS:  We STRONGLY recommend using IP addresses
    #  rather than host names.  Using host names means that the
    #  server will do DNS lookups when it starts, making it
    #  dependent on DNS.  i.e. If anything goes wrong with DNS,
    #  the server won't start!
    #
    #  The server also looks up the IP address from DNS once, and
    #  only once, when it starts.  If the DNS record is later
    #  updated, the server WILL NOT see that update.
    #

    #  One client definition can be applied to an entire network.
    #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
    #  "netmask = 8"
    #
    #  If not specified, the default netmask is 32 (i.e. /32)
    #
    #  We do NOT recommend using anything other than 32.  There
    #  are usually other, better ways to achieve the same goal.
    #  Using netmasks of other than 32 can cause security issues.
    #
    #  You can specify overlapping networks (127/8 and 127.0/16)
    #  In that case, the smallest possible network will be used
    #  as the "best match" for the client.
    #
    #  Clients can also be defined dynamically at run time, based
    #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
    #  etc.
    #  See raddb/sites-available/dynamic-clients for details.
    #

#   netmask = 32

    #
    #  The shared secret use to "encrypt" and "sign" packets between
    #  the NAS and FreeRADIUS.  You MUST change this secret from the
    #  default, otherwise it's not a secret any more!
    #
    #  The secret can be any string, up to 8k characters in length.
    #
    #  Control codes can be entered vi octal encoding,
    #   e.g. "\101\102" == "AB"
    #  Quotation marks can be entered by escaping them,
    #   e.g. "foo\"bar"
    #
    #  A note on security:  The security of the RADIUS protocol
    #  depends COMPLETELY on this secret!  We recommend using a
    #  shared secret that is composed of:
    #
    #   upper case letters
    #   lower case letters
    #   numbers
    #
    #  And is at LEAST 8 characters long, preferably 16 characters in
    #  length.  The secret MUST be random, and should not be words,
    #  phrase, or anything else that is recognizable.
    #
    #  The default secret below is only for testing, and should
    #  not be used in any real environment.
    #
    secret      = testing123

    #
    #  Old-style clients do not send a Message-Authenticator
    #  in an Access-Request.  RFC 5080 suggests that all clients
    #  SHOULD include it in an Access-Request.  The configuration
    #  item below allows the server to require it.  If a client
    #  is required to include a Message-Authenticator and it does
    #  not, then the packet will be silently discarded.
    #
    #  allowed values: yes, no
    require_message_authenticator = no

    #
    #  The short name is used as an alias for the fully qualified
    #  domain name, or the IP address.
    #
    #  It is accepted for compatibility with 1.x, but it is no
    #  longer necessary in 2.0
    #
                 shortname = localhost

    #
    # the following three fields are optional, but may be used by
    # checkrad.pl for simultaneous use checks
    #

    #
    # The nastype tells 'checkrad.pl' which NAS-specific method to
    #  use to query the NAS for simultaneous use.
    #
    #  Permitted NAS types are:
    #
    #   cisco
    #   computone
    #   livingston
    #   juniper
    #   max40xx
    #   multitech
    #   netserver
    #   pathras
    #   patton
    #   portslave
    #   tc
    #   usrhiper
    #   other       # for all other types

    #
    nastype     = other

               # localhost isn't usually a NAS...

    #
    #  The following two configurations are for future use.
    #  The 'naspasswd' file is currently used to store the NAS
    #  login name and password, which is used by checkrad.pl
    #  when querying the NAS for simultaneous use.
    #
#   login       = !root
#   password    = someadminpas

    #
    #  As of 2.0, clients can also be tied to a virtual server.
    #  This is done by setting the "virtual_server" configuration
    #  item, as in the example below.
    #
#   virtual_server = home1

    #
    #  A pointer to the "home_server_pool" OR a "home_server"
    #  section that contains the CoA configuration for this
    #  client.  For an example of a coa home server or pool,
    #  see raddb/sites-available/originate-coa
#   coa_server = coa
}

# IPv6 Client
#client ::1 {
#   secret      = testing123
#   shortname   = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
#   secret      = testing123
#   shortname   = localhost
#}

#client some.host.org {
#   secret      = testing123
#   shortname   = localhost
#}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#   secret      = testing123-1
#   shortname   = private-network-1
#}
#
#client 192.168.0.0/16 {
#   secret      = testing123-2
#   shortname   = private-network-2
#}


client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}





#client 10.10.10.10 {
#   # secret and password are mapped through the "secrets" file.
#   secret      = testing123
#   shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#   nastype     = livingston
#   login       = !root
#   password    = someadminpas
#}

#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#   client 192.168.3.4 {
#       secret = testing123
#        }
#}


---radiusd.conf (j'ai pas modifiee le fichier)

----users # fergis Auth-Type := local, User-Password == "fergisuriel"

#
#   Please read the documentation file ../doc/processing_users_file,
#   or 'man 5 users' (after installing the server) for more information.
#
#   This file contains authentication security and configuration
#   information for each user.  Accounting requests are NOT processed
#   through this file.  Instead, see 'acct_users', in this directory.
#
#   The first field is the user's name and can be up to
#   253 characters in length.  This is followed (on the same line) with
#   the list of authentication requirements for that user.  This can
#   include password, comm server name, comm server port number, protocol
#   type (perhaps set by the "hints" file), and huntgroup name (set by
#   the "huntgroups" file).
#
#   If you are not sure why a particular reply is being sent by the
#   server, then run the server in debugging mode (radiusd -X), and
#   you will see which entries in this file are matched.
#
#   When an authentication request is received from the comm server,
#   these values are tested. Only the first match is used unless the
#   "Fall-Through" variable is set to "Yes".
#
#   A special user named "DEFAULT" matches on all usernames.
#   You can have several DEFAULT entries. All entries are processed
#   in the order they appear in this file. The first entry that
#   matches the login-request will stop processing unless you use
#   the Fall-Through variable.
#
#   If you use the database support to turn this file into a .db or .dbm
#   file, the DEFAULT entries _have_ to be at the end of this file and
#   you can't have multiple entries for one username.
#
#   Indented (with the tab character) lines following the first
#   line indicate the configuration values to be passed back to
#   the comm server to allow the initiation of a user session.
#   This can include things like the PPP configuration values
#   or the host to log the user onto.
#
#   You can include another `users' file with `$INCLUDE users.other'
#

#
#   For a list of RADIUS attributes, and links to their definitions,
#   see:
#
#   http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user.  Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
        "localhost" Auth-Type := EAP
    "localhost"  cleartext-password := "fergisuriel"
#       Reply-Message = "Your account has been disabled."

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT    Group == "disabled", Auth-Type := Reject
#       Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve  Cleartext-Password := "testing"
#   Service-Type = Framed-User,
#   Framed-Protocol = PPP,
#   Framed-IP-Address = 172.16.3.33,
#   Framed-IP-Netmask = 255.255.255.0,
#   Framed-Routing = Broadcast-Listen,
#   Framed-Filter-Id = "std.ppp",
#   Framed-MTU = 1500,
#   Framed-Compression = Van-Jacobsen-TCP-IP

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Cleartext-Password := "hello"
#       Reply-Message = "Hello, %{User-Name}"

#
# Dial user back and telnet to the default host for that port
#
#Deg    Cleartext-Password := "ge55ged"
#   Service-Type = Callback-Login-User,
#   Login-IP-Host = 0.0.0.0,
#   Callback-Number = "9,5551212",
#   Login-Service = Telnet,
#   Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
#   Service-Type = Callback-Login-User,
#   Login-IP-Host = timeshare1,
#   Login-Service = PortMaster,
#   Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#       Framed-IP-Address = 192.168.1.65,
#       Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT    Suffix == ".shell"
#       Service-Type = Login-User,
#       Login-Service = Telnet,
#       Login-IP-Host = your.shell.machine


#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#       Framed-IP-Address = 192.168.1.32+,
#       Fall-Through = Yes

#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "delft"
#       Framed-IP-Address = 192.168.2.32+,
#       Fall-Through = Yes

#
# Sample defaults for all framed connections.
#
#DEFAULT    Service-Type == Framed-User
#   Framed-IP-Address = 255.255.255.254,
#   Framed-MTU = 576,
#   Service-Type = Framed-User,
#   Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#   by the terminal server in which case there may not be a "P" suffix.
#   The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
    Framed-Protocol = PPP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
    Framed-Protocol = SLIP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
    Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#   Service-Type = Login-User,
#   Login-Service = Rlogin,
#   Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
#   Service-Type = Administrative-User

# On no match, the user is denied access.

ok jespere que tu auras pas les maux de tete avec tout ca. merci

[^] # Re: Certificat

Posté par NeoX le 30 juillet 2016 à 23:02. Évalué à 3.

rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem

error reading ne veut pas dire que le fichier n'existe pas,
juste que le programme ne peut pas le lire

generalement c'est un probleme de droit d'acces à ce fichier (mauvais propriétaire, mauvais groupe par rapport à l'utilisateur qui est utilisé par raddb)

Suivre le flux des commentaires

Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.