radius add nas record to nas table fail


radius add nas record to nas table fail



my compony has a radius that was used to auth, now I want to use that to strongswan vpn , and after I config the strongswan,I config the radius that add nas table a record like


10 | 172.16.2.10 | hlg-vpn | other | NULL | testing | NULL | NULL | RADIUS Client |



and ok, the 172.16.2.10 is the ipaddress of the strongswan server, and the nas table also contain others nas records those work fine .



the record I add to nas table seems doesn't work. when I auth the vpn with a radius account, the radius log is like


Sat Jun 24 20:34:45 2017 : Error: Ignoring request to authentication address * port 1812 from unknown client 172.16.2.10 port 48394
Sat Jun 24 20:34:47 2017 : Error: Ignoring request to authentication address * port 1812 from unknown client 172.16.2.10 port 48394
Sat Jun 24 20:34:50 2017 : Error: Ignoring request to authentication address * port 1812 from unknown client 172.16.2.10 port 48394
Sat Jun 24 20:34:54 2017 : Error: Ignoring request to authentication address * port 1812 from unknown client 172.16.2.10 port 48394



I'm new to radius, am I lose config something after add a nas record to nas table? could someone tell me why , thanks..



something else, I am sure the other nas record in the table work fine, because , the config seems true, and I don't find any other config like those nas records in the raddb directory, also, I google it , the config file sql.conf point out that nas table is in use.




2 Answers
2



On the RADIUS server you need to define a list of RADIUS clients the server will accept packets from.



There are two reasons you need to define clients:



RADIUS packets use a PSK (Pre-Shared key) for encrypting certain attributes and preventing packet modification. For security, each client should use a different PSK. The client definitions associate different secrets with different client's IP addresses.



Processing RADIUS packets can sometimes be expensive in terms of the load on backend databases. It's useful to define ACLs which drop RADIUS packets before any processing is done. In FreeRADIUS unless an IP address is matched by a client definition the packet will be discarded.



Client definitions can be created in multiple ways, but the easiest is with the raddb/clients.conf file (or freeradius/clients.conf on debian).


raddb/clients.conf


freeradius/clients.conf



A client entry that'd match your SQL record would be:


client hlg-vpn {
ipaddr = 127.16.2.10
secret = testing
}



If you want to continue using SQL based clients, then check the read_clients pair in the sql module's config is uncommented and set to yes:


read_clients



and that the sql module is listed/uncommented in at least one authorize, accounting, post-auth etc... section. Or is listed in the instantiate {} section in raddb/radiusd.conf.


sql


authorize


accounting


post-auth


instantiate {}


raddb/radiusd.conf



Another thing to check is that the "server" field for each NAS is filled out and matches the virtual-server with which this NAS is to be used. If you only have the "default" virtual server enabled in "sites-enabled" then set this field to "default".






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Comments

Post a Comment

Popular posts from this blog

paramiko-expect timeout is happening after executing the command

paramiko-expect timeout is happening after executing the command Can someone help me why timeout is happening after executing the command .I am trying to SSH to a machine and execute a command.I want to store the result of the executed command . I have referred paramiko-timeout but i didn't get my expected result. import traceback try: import paramiko except ImportError: raise Exception("Please install paramiko , pip install paramiko") import pexpect from paramiko_expect import SSHClientInteraction def main(): HOSTNAME = "minion5.net" USERNAME = "root" PASSWORD = "help@432" PROMPT = "root@*:~$s+" try: client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname=HOSTNAME, username=USERNAME, password=PASSWORD) with SSHClientInteraction(client, timeout=20, display=True) as interact: ...
Read more

Export result set on Dbeaver to CSV

Export result set on Dbeaver to CSV Normally I use Dbeaver for windows and always export my result set like this: run my query --> select the result --> export the result set --> select export to clipboard --> done This step by step puts my result set in my clipboard and I can paste it wherever I want to work with it. The problem is that now I am using dbeaver for mac and this guide is not working. I can go on until the moment that I select my result set like in the image below: exporting data set But once I go further in the process, in the last step I get: no query Note that in "source" it was suppose to show the query that originated the result set, but instead it says just "select. As a result it does't select my result or anything (besides being "successful"). Normally my query would show up there automatically and I couldn't find any option that corrects this problem in the menus. Please help me! Thanks. Aft...
Read more

Opening a url is failing in Swift

Opening a url is failing in Swift breakpointing inside the callback and logging success shows false. I added itms-apps to my plist: LSApplicationQueriesSchemes and put this in my app delegate: func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool { return true } func moreTapped() { let url = NSURL(string: "itms-apps://itunes.com/developer/quantum-productions/id979315877") if #available(iOS 10.0, *) { UIApplication.shared.open(url! as URL, options: [:], completionHandler: {(success: Bool) in }) } else { UIApplication.shared.openURL(url! as URL) } } Are you testing on a real device? – rmaddy Jun 21 at 23:57 I try on a device, get "Cannot Connect to App Store". Device is online ...
Read more