Forum Linux.debian/ubuntu erreur radius

Posté par . Licence CC By‐SA.
Étiquettes : aucune
-12
30
juil.
2016
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
 allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
 name = "radiusd"
 prefix = "/usr/local"
 localstatedir = "/usr/local/var"
 sbindir = "/usr/local/sbin"
 logdir = "/usr/local/var/log/radius"
 run_dir = "/usr/local/var/run/radiusd"
 libdir = "/usr/local/lib"
 radacctdir = "/usr/local/var/log/radius/radacct"
 hostname_lookups = no
 max_request_time = 30
 cleanup_delay = 5
 max_requests = 1024
 pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 checkrad = "/usr/local/sbin/checkrad"
 debug_level = 0
 proxy_requests = yes
 log {
 stripped_names = no
 auth = no
 auth_badpass = no
 auth_goodpass = no
 }
 security {
 max_attributes = 200
 reject_delay = 1
 status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 retry_delay = 5
 retry_count = 3
 default_fallback = no
 dead_time = 120
 wake_all_if_all_dead = no
 }
 home_server localhost {
 ipaddr = 127.0.0.1
 port = 1812
 type = "auth"
 secret = "testing123"
 response_window = 20
 max_outstanding = 65536
 require_message_authenticator = yes
 zombie_period = 40
 status_check = "status-server"
 ping_interval = 30
 check_interval = 30
 num_answers_to_alive = 3
 num_pings_to_alive = 3
 revive_interval = 120
 status_check_timeout = 4
 coa {
 irt = 2
 mrt = 16
 mrc = 5
 mrd = 30
 }
 }
 home_server_pool my_auth_failover {
 type = fail-over
 home_server = localhost
 }
 realm example.com {
 auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
 ipaddr = 127.0.0.1
 require_message_authenticator = no
 secret = "testing123"
 shortname = "localhost"
 nastype = "other"
 }
 client 127.0.0.1 {
 require_message_authenticator = no
 secret = "testing123"
 shortname = "localhost"
 nastype = "other"
 }
WARNING: Ignoring duplicate client 127.0.0.1
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
 exec {
 wait = no
 input_pairs = "request"
 shell_escape = yes
 timeout = 10
 }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
 expiration {
 reply-message = "Password Has Expired "
 }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
 logintime {
 reply-message = "You are calling outside your allowed timespan "
 minimum-timeout = 60
 }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
 Module: Creating Auth-Type = digest
 Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
 pap {
 encryption_scheme = "auto"
 auto_header = no
 }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
 mschap {
 use_mppe = yes
 require_encryption = no
 require_strong = no
 with_ntdomain_hack = no
 allow_retry = yes
 }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
 unix {
 radwtmp = "/usr/local/var/log/radius/radwtmp"
 }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
 eap {
 default_eap_type = "tls"
 timer_expire = 60
 ignore_unknown_eap_types = no
 cisco_accounting_username_bug = no
 max_sessions = 4096
 }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
 gtc {
 challenge = "Password: "
 auth_type = "PAP"
 }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
 tls {
 rsa_key_exchange = no
 dh_key_exchange = yes
 rsa_key_length = 512
 dh_key_length = 512
 verify_depth = 0
 CA_path = "/usr/local/openssl-certgen/ssl/certs"
 pem_file_type = yes
 private_key_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
 certificate_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
 CA_file = "/usr/local/openssl-certgen/ssl/certs/root.pem"
 private_key_password = "fergisuriel"
 dh_file = "/usr/local/openssl-certgen/ssl/certs/dh"
 random_file = "/usr/local/openssl-certgen/ssl/certs/random"
 fragment_size = 1024
 include_length = yes
 check_crl = no
 check_cert_cn = "%{User-Name}"
 cipher_list = "DEFAULT"
 make_cert_command = "/usr/local/openssl-certgen/ssl/certs/bootstrap"
 ecdh_curve = "prime256v1"
 cache {
 enable = no
 lifetime = 24
 max_entries = 255
 }
 verify {
 }
 ocsp {
 enable = no
 override_cert_url = yes
 url = "http://127.0.0.1/ocsp/"
 use_nonce = yes
 timeout = 0
 softfail = no
 }
 }
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
root@fredy:/usr/local/etc/raddb# ^C
root@fredy:/usr/local/etc/raddb# clear
root@fredy:/usr/local/etc/raddb# radiusd -X
radiusd: FreeRADIUS Version 2.2.2, for host x86_64-unknown-linux-gnu, built on Nov 11 2015 at 16:12:24
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/cache
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
 allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
 name = "radiusd"
 prefix = "/usr/local"
 localstatedir = "/usr/local/var"
 sbindir = "/usr/local/sbin"
 logdir = "/usr/local/var/log/radius"
 run_dir = "/usr/local/var/run/radiusd"
 libdir = "/usr/local/lib"
 radacctdir = "/usr/local/var/log/radius/radacct"
 hostname_lookups = no
 max_request_time = 30
 cleanup_delay = 5
 max_requests = 1024
 pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 checkrad = "/usr/local/sbin/checkrad"
 debug_level = 0
 proxy_requests = yes
 log {
 stripped_names = no
 auth = no
 auth_badpass = no
 auth_goodpass = no
 }
 security {
 max_attributes = 200
 reject_delay = 1
 status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 retry_delay = 5
 retry_count = 3
 default_fallback = no
 dead_time = 120
 wake_all_if_all_dead = no
 }
 home_server localhost {
 ipaddr = 127.0.0.1
 port = 1812
 type = "auth"
 secret = "testing123"
 response_window = 20
 max_outstanding = 65536
 require_message_authenticator = yes
 zombie_period = 40
 status_check = "status-server"
 ping_interval = 30
 check_interval = 30
 num_answers_to_alive = 3
 num_pings_to_alive = 3
 revive_interval = 120
 status_check_timeout = 4
 coa {
 irt = 2
 mrt = 16
 mrc = 5
 mrd = 30
 }
 }
 home_server_pool my_auth_failover {
 type = fail-over
 home_server = localhost
 }
 realm example.com {
 auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
 ipaddr = 127.0.0.1
 require_message_authenticator = no
 secret = "testing123"
 shortname = "localhost"
 nastype = "other"
 }
 client 127.0.0.1 {
 require_message_authenticator = no
 secret = "testing123"
 shortname = "localhost"
 nastype = "other"
 }
WARNING: Ignoring duplicate client 127.0.0.1
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
 exec {
 wait = no
 input_pairs = "request"
 shell_escape = yes
 timeout = 10
 }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
 expiration {
 reply-message = "Password Has Expired "
 }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
 logintime {
 reply-message = "You are calling outside your allowed timespan "
 minimum-timeout = 60
 }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
 Module: Creating Auth-Type = digest
 Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
 pap {
 encryption_scheme = "auto"
 auto_header = no
 }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
 mschap {
 use_mppe = yes
 require_encryption = no
 require_strong = no
 with_ntdomain_hack = no
 allow_retry = yes
 }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
 unix {
 radwtmp = "/usr/local/var/log/radius/radwtmp"
 }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
 eap {
 default_eap_type = "tls"
 timer_expire = 60
 ignore_unknown_eap_types = no
 cisco_accounting_username_bug = no
 max_sessions = 4096
 }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
 gtc {
 challenge = "Password: "
 auth_type = "PAP"
 }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
 tls {
 rsa_key_exchange = no
 dh_key_exchange = yes
 rsa_key_length = 512
 dh_key_length = 512
 verify_depth = 0
 CA_path = "/usr/local/openssl-certgen/ssl/certs"
 pem_file_type = yes
 private_key_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
 certificate_file = "/usr/local/openssl-certgen/ssl/certs/serveur.pem"
 CA_file = "/usr/local/openssl-certgen/ssl/certs/root.pem"
 private_key_password = "fergisuriel"
 dh_file = "/usr/local/openssl-certgen/ssl/certs/dh"
 random_file = "/usr/local/openssl-certgen/ssl/certs/random"
 fragment_size = 1024
 include_length = yes
 check_crl = no
 check_cert_cn = "%{User-Name}"
 cipher_list = "DEFAULT"
 make_cert_command = "/usr/local/openssl-certgen/ssl/certs/bootstrap"
 ecdh_curve = "prime256v1"
 cache {
 enable = no
 lifetime = 24
 max_entries = 255
 }
 verify {
 }
 ocsp {
 enable = no
 override_cert_url = yes
 url = "http://127.0.0.1/ocsp/"
 use_nonce = yes
 timeout = 0
 softfail = no
 }
 }
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
root@fredy:/usr/local/etc/raddb# 
  • # Certificat

    Posté par . Évalué à 5.

    Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem

    J’y connais pas grand chose mais comme ça je dirais qu’il et nécessaire que tu génères un certificat pour SSL ce que tu n’as à priori pas fait. C’est là dessus que porterait ma recherche si j’étais à ta place.

    C’est peut-être ça qui provoque l’erreur suivante : Errors parsing authenticate section.

    Comme d’autres personnes te l’ont dit : décris ce que tu cherches à faire, quelles sont les modifications que tu as apporté au fichier, etc...

    Là en l’état ça donne pas envie d’aider.

    • [^] # Re: Certificat

      Posté par . Évalué à 0. Dernière modification le 30 juillet 2016 à 17:57.

      ~~OS et logiciels impliques
      - Linux debian wheezy 7.0.0 amd 64 pour le serveur
      - Windows XP, 7 pour les postes clients
      - openssl-1.0.0s.tar.gz
      - freeradius-server-2.2.2 .tar.gz

      ce que je veux faire:Contribution à l’amélioration de la sécurité d’un réseau wifi au moyen d'un serveur d’authentification RADIUS sous Debian

      le problème:quand je lance la commande radiusd -x je reçois vers la fin un message d'erreur que voici :

      rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
      rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
      rlm_eap: Failed to initialize type tls
      /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
      /usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
      /usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
      

      or j'ai compilé tous les certificats (xpextensions, CA.root, CA.svr, CA.clt) dans le dossier « /usr/local/openssl-certgen/ssl/certs » ce qui me donne les fichiers demoCA fergis.der fergis.p12 fergis.pem newcert.pem root.der root.p12 root.pem serveur.der serveur.p12 serveur.pem xpextensions

      a noter qu'ici le client=fergis

      /usr/local/etc/raddb# ce dossier contient les fichiers eap.conf ; clients.conf; radiusd.conf et users que j'ai modifié .

      un apercu: eap.conf

      # -*- text -*-
      ##
      ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
      ##
      ## $Id: d2c2b658bed01c345e9e34d7420a5d0e5541eeae $
      #######################################################################
      #
      # Whatever you do, do NOT set 'Auth-Type := EAP'. The server
      # is smart enough to figure this out on its own. The most
      # common side effect of setting 'Auth-Type := EAP' is that the
      # users then cannot use ANY other authentication method.
      #
      # EAP types NOT listed here may be supported via the "eap2" module.
      # See experimental.conf for documentation.
      #
       eap {
       # Invoke the default supported EAP type when
       # EAP-Identity response is received.
       #
       # The incoming EAP messages DO NOT specify which EAP
       # type they will be using, so it MUST be set here.
       #
       # For now, only one default EAP type may be used at a time.
       #
       # If the EAP-Type attribute is set by another module,
       # then that EAP type takes precedence over the
       # default type configured here.
       #
       default_eap_type = tls
       # A list is maintained to correlate EAP-Response
       # packets with EAP-Request packets. After a
       # configurable length of time, entries in the list
       # expire, and are deleted.
       #
       timer_expire = 60
       # There are many EAP types, but the server has support
       # for only a limited subset. If the server receives
       # a request for an EAP type it does not support, then
       # it normally rejects the request. By setting this
       # configuration to "yes", you can tell the server to
       # instead keep processing the request. Another module
       # MUST then be configured to proxy the request to
       # another RADIUS server which supports that EAP type.
       #
       # If another module is NOT configured to handle the
       # request, then the request will still end up being
       # rejected.
       ignore_unknown_eap_types = no
       # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
       # a User-Name attribute in an Access-Accept, it copies one
       # more byte than it should.
       #
       # We can work around it by configurably adding an extra
       # zero byte.
       cisco_accounting_username_bug = no
       #
       # Help prevent DoS attacks by limiting the number of
       # sessions that the server is tracking. Most systems
       # can handle ~30 EAP sessions/s, so the default limit
       # of 4096 should be OK.
       max_sessions = 4096
       # Supported EAP-types
       #
       # We do NOT recommend using EAP-MD5 authentication
       # for wireless connections. It is insecure, and does
       # not provide for dynamic WEP keys.
       #
      md5{
       }
       # Cisco LEAP
       #
       # We do not recommend using LEAP in new deployments. See:
       # http://www.securiteam.com/tools/5TP012ACKE.html
       #
       # Cisco LEAP uses the MS-CHAP algorithm (but not
       # the MS-CHAP attributes) to perform it's authentication.
       #
       # As a result, LEAP *requires* access to the plain-text
       # User-Password, or the NT-Password attributes.
       # 'System' authentication is impossible with LEAP.
       #
       leap {
       }
       # Generic Token Card.
       #
       # Currently, this is only permitted inside of EAP-TTLS,
       # or EAP-PEAP. The module "challenges" the user with
       # text, and the response from the user is taken to be
       # the User-Password.
       #
       # Proxying the tunneled EAP-GTC session is a bad idea,
       # the users password will go over the wire in plain-text,
       # for anyone to see.
       #
       gtc {
       # The default challenge, which many clients
       # ignore..
       #challenge = "Password: "
       # The plain-text response which comes back
       # is put into a User-Password attribute,
       # and passed to another module for
       # authentication. This allows the EAP-GTC
       # response to be checked against plain-text,
       # or crypt'd passwords.
       #
       # If you say "Local" instead of "PAP", then
       # the module will look for a User-Password
       # configured for the request, and do the
       # authentication itself.
       #
       auth_type = PAP
       }
       ## EAP-TLS
       #
       # See raddb/certs/README for additional comments
       # on certificates.
       #
       # If OpenSSL was not found at the time the server was
       # built, the "tls", "ttls", and "peap" sections will
       # be ignored.
       #
       # Otherwise, when the server first starts in debugging
       # mode, test certificates will be created. See the
       # "make_cert_command" below for details, and the README
       # file in raddb/certs
       #
       # These test certificates SHOULD NOT be used in a normal
       # deployment. They are created only to make it easier
       # to install the server, and to perform some simple
       # tests with EAP-TLS, TTLS, or PEAP.
       #
       # See also:
       #
       # http://www.dslreports.com/forum/remark,9286052~mode=flat
       #
       # Note that you should NOT use a globally known CA here!
       # e.g. using a Verisign cert as a "known CA" means that
       # ANYONE who has a certificate signed by them can
       # authenticate via EAP-TLS! This is likely not what you want.
       tls {
       #
       # These is used to simplify later configurations.
       #
       certdir =/usr/local/openssl-certgen/ssl/certs
       cadir =/usr/local/openssl-certgen/ssl/certs 
       certdir = ${confdir}/certs
       cadir = ${confdir}/certs
       private_key_password = fergisuriel
       private_key_file = ${certdir}/serveur.pem
       # If Private key & Certificate are located in
       # the same file, then private_key_file &
       # certificate_file must contain the same file
       # name.
       #
       # If CA_file (below) is not used, then the
       # certificate_file below MUST include not
       # only the server certificate, but ALSO all
       # of the CA certificates used to sign the
       # server certificate.
       certificate_file = /usr/local/openssl-certgen/ssl/certs/serveur.pem
       # Trusted Root CA list
       #
       # ALL of the CA's in this list will be trusted
       # to issue client certificates for authentication.
       #
       # In general, you should use self-signed
       # certificates for 802.1x (EAP) authentication.
       # In that case, this CA file should contain
       # *one* CA certificate.
       #
       # This parameter is used only for EAP-TLS,
       # when you issue client certificates. If you do
       # not use client certificates, and you do not want
       # to permit EAP-TLS authentication, then delete
       # this configuration item.
       CA_file = /usr/local/openssl-certgen/ssl/certs/root.pem
       #
       # For DH cipher suites to work, you have to
       # run OpenSSL to create the DH file first:
       #
       # openssl dhparam -out certs/dh 1024
       #
       dh_file = ${certdir}/dh
       #
       # If your system doesn't have /dev/urandom,
       # you will need to create this file, and
       # periodically change its contents.
       #
       # For security reasons, FreeRADIUS doesn't
       # write to files in its configuration
       # directory.
       #
       random_file = ${certdir}/random
       #
       # This can never exceed the size of a RADIUS
       # packet (4096 bytes), and is preferably half
       # that, to accomodate other attributes in
       # RADIUS packet. On most APs the MAX packet
       # length is configured between 1500 - 1600
       # In these cases, fragment size should be
       # 1024 or less.
       #
       fragment_size = 1024
       # include_length is a flag which is
       # by default set to yes If set to
       # yes, Total Length of the message is
       # included in EVERY packet we send.
       # If set to no, Total Length of the
       # message is included ONLY in the
       # First packet of a fragment series.
       #
       include_length = yes
       # Check the Certificate Revocation List
       #
       # 1) Copy CA certificates and CRLs to same directory.
       # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
       # 'c_rehash' is OpenSSL's command.
       # 3) uncomment the line below.
       # 5) Restart radiusd
       # check_crl = yes
       CA_path = ${cadir}
       #
       # If check_cert_issuer is set, the value will
       # be checked against the DN of the issuer in
       # the client certificate. If the values do not
       # match, the cerficate verification will fail,
       # rejecting the user.
       #
       # In 2.1.10 and later, this check can be done
       # more generally by checking the value of the
       # TLS-Client-Cert-Issuer attribute. This check
       # can be done via any mechanism you choose.
       #
       # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
       #
       # If check_cert_cn is set, the value will
       # be xlat'ed and checked against the CN
       # in the client certificate. If the values
       # do not match, the certificate verification
       # will fail rejecting the user.
       #
       # This check is done only if the previous
       # "check_cert_issuer" is not set, or if
       # the check succeeds.
       #
       # In 2.1.10 and later, this check can be done
       # more generally by checking the value of the
       # TLS-Client-Cert-CN attribute. This check
       # can be done via any mechanism you choose.
       #
       check_cert_cn = %{User-Name}
       #
       # Set this option to specify the allowed
       # TLS cipher suites. The format is listed
       # in "man 1 ciphers".
       cipher_list = "DEFAULT"
       #
       # As part of checking a client certificate, the EAP-TLS
       # sets some attributes such as TLS-Client-Cert-CN. This
       # virtual server has access to these attributes, and can
       # be used to accept or reject the request.
       #
       # virtual_server = check-eap-tls
       # This command creates the initial "snake oil"
       # certificates when the server is run as root,
       # and via "radiusd -X".
       #
       # As of 2.1.11, it *also* checks the server
       # certificate for validity, including expiration.
       # This means that radiusd will refuse to start
       # when the certificate has expired. The alternative
       # is to have the 802.1X clients refuse to connect
       # when they discover the certificate has expired.
       #
       # Debugging client issues is hard, so it's better
       # for the server to print out an error message,
       # and refuse to start.
       #
       make_cert_command = "${certdir}/bootstrap"
       #
       # Elliptical cryptography configuration
       #
       # Only for OpenSSL >= 0.9.8.f
       #
       ecdh_curve = "prime256v1"
       #
       # Session resumption / fast reauthentication
       # cache.
       #
       # The cache contains the following information:
       #
       # session Id - unique identifier, managed by SSL
       # User-Name - from the Access-Accept
       # Stripped-User-Name - from the Access-Request
       # Cached-Session-Policy - from the Access-Accept
       #
       # The "Cached-Session-Policy" is the name of a
       # policy which should be applied to the cached
       # session. This policy can be used to assign
       # VLANs, IP addresses, etc. It serves as a useful
       # way to re-apply the policy from the original
       # Access-Accept to the subsequent Access-Accept
       # for the cached session.
       #
       # On session resumption, these attributes are
       # copied from the cache, and placed into the
       # reply list.
       #
       # You probably also want "use_tunneled_reply = yes"
       # when using fast session resumption.
       #
       cache {
       #
       # Enable it. The default is "no".
       # Deleting the entire "cache" subsection
       # Also disables caching.
       #
       # You can disallow resumption for a
       # particular user by adding the following
       # attribute to the control item list:
       #
       # Allow-Session-Resumption = No
       #
       # If "enable = no" below, you CANNOT
       # enable resumption for just one user
       # by setting the above attribute to "yes".
       #
       enable = no
       #
       # Lifetime of the cached entries, in hours.
       # The sessions will be deleted after this
       # time.
       #
       lifetime = 24 # hours
       #
       # The maximum number of entries in the
       # cache. Set to "0" for "infinite".
       #
       # This could be set to the number of users
       # who are logged in... which can be a LOT.
       #
       max_entries = 255
       }
       #
       # As of version 2.1.10, client certificates can be
       # validated via an external command. This allows
       # dynamic CRLs or OCSP to be used.
       #
       # This configuration is commented out in the
       # default configuration. Uncomment it, and configure
       # the correct paths below to enable it.
       #
       verify {
       # A temporary directory where the client
       # certificates are stored. This directory
       # MUST be owned by the UID of the server,
       # and MUST not be accessible by any other
       # users. When the server starts, it will do
       # "chmod go-rwx" on the directory, for
       # security reasons. The directory MUST
       # exist when the server starts.
       #
       # You should also delete all of the files
       # in the directory when the server starts.
       # tmpdir = /tmp/radiusd
       # The command used to verify the client cert.
       # We recommend using the OpenSSL command-line
       # tool.
       #
       # The ${..CA_path} text is a reference to
       # the CA_path variable defined above.
       #
       # The %{TLS-Client-Cert-Filename} is the name
       # of the temporary file containing the cert
       # in PEM format. This file is automatically
       # deleted by the server when the command
       # returns.
       # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
       }
       #
       # OCSP Configuration
       # Certificates can be verified against an OCSP
       # Responder. This makes it possible to immediately
       # revoke certificates without the distribution of
       # new Certificate Revokation Lists (CRLs).
       #
       ocsp {
       #
       # Enable it. The default is "no".
       # Deleting the entire "ocsp" subsection
       # Also disables ocsp checking
       #
       enable = no
       #
       # The OCSP Responder URL can be automatically
       # extracted from the certificate in question.
       # To override the OCSP Responder URL set
       # "override_cert_url = yes". 
       #
       override_cert_url = yes
       #
       # If the OCSP Responder address is not
       # extracted from the certificate, the
       # URL can be defined here.
       #
       # Limitation: Currently the HTTP
       # Request is not sending the "Host: "
       # information to the web-server. This
       # can be a problem if the OCSP
       # Responder is running as a vhost.
       #
       url = "http://127.0.0.1/ocsp/"
       #
       # If the OCSP Responder can not cope with nonce
       # in the request, then it can be disabled here.
       #
       # For security reasons, disabling this option
       # is not recommended as nonce protects against
       # replay attacks.
       #
       # Note that Microsoft AD Certificate Services OCSP
       # Responder does not enable nonce by default. It is
       # more secure to enable nonce on the responder than
       # to disable it in the query here.
       # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
       #
       # use_nonce = yes
       #
       # Number of seconds before giving up waiting
       # for OCSP response. 0 uses system default.
       #
       # timeout = 0
       #
       # Normally an error in querying the OCSP
       # responder (no response from server, server did
       # not understand the request, etc) will result in
       # a validation failure.
       #
       # To treat these errors as 'soft' failures and
       # still accept the certificate, enable this
       # option.
       # 
       # Warning: this may enable clients with revoked
       # certificates to connect if the OCSP responder
       # is not available. Use with caution.
       #
       # softfail = no
       }
       }
       # The TTLS module implements the EAP-TTLS protocol,
       # which can be described as EAP inside of Diameter,
       # inside of TLS, inside of EAP, inside of RADIUS...
       #
       # Surprisingly, it works quite well.
       #
       # The TTLS module needs the TLS module to be installed
       # and configured, in order to use the TLS tunnel
       # inside of the EAP packet. You will still need to
       # configure the TLS module, even if you do not want
       # to deploy EAP-TLS in your network. Users will not
       # be able to request EAP-TLS, as it requires them to
       # have a client certificate. EAP-TTLS does not
       # require a client certificate.
       #
       # You can make TTLS require a client cert by setting
       #
       # EAP-TLS-Require-Client-Cert = Yes
       #
       # in the control items for a request.
       #
       ttls {
       # The tunneled EAP session needs a default
       # EAP type which is separate from the one for
       # the non-tunneled EAP module. Inside of the
       # TTLS tunnel, we recommend using EAP-MD5.
       # If the request does not contain an EAP
       # conversation, then this configuration entry
       # is ignored.
       default_eap_type = md5
       # The tunneled authentication request does
       # not usually contain useful attributes
       # like 'Calling-Station-Id', etc. These
       # attributes are outside of the tunnel,
       # and normally unavailable to the tunneled
       # authentication request.
       #
       # By setting this configuration entry to
       # 'yes', any attribute which NOT in the
       # tunneled authentication request, but
       # which IS available outside of the tunnel,
       # is copied to the tunneled request.
       #
       # allowed values: {no, yes}
       copy_request_to_tunnel = no
       # The reply attributes sent to the NAS are
       # usually based on the name of the user
       # 'outside' of the tunnel (usually
       # 'anonymous'). If you want to send the
       # reply attributes based on the user name
       # inside of the tunnel, then set this
       # configuration entry to 'yes', and the reply
       # to the NAS will be taken from the reply to
       # the tunneled request.
       #
       # allowed values: {no, yes}
       use_tunneled_reply = no
       #
       # The inner tunneled request can be sent
       # through a virtual server constructed
       # specifically for this purpose.
       #
       # If this entry is commented out, the inner
       # tunneled request will be sent through
       # the virtual server that processed the
       # outer requests.
       #
       virtual_server = "inner-tunnel"
       # This has the same meaning as the
       # same field in the "tls" module, above.
       # The default value here is "yes".
       # include_length = yes
       }
       ##################################################
       #
       # !!!!! WARNINGS for Windows compatibility !!!!!
       #
       ##################################################
       #
       # If you see the server send an Access-Challenge,
       # and the client never sends another Access-Request,
       # then
       #
       # STOP!
       #
       # The server certificate has to have special OID's
       # in it, or else the Microsoft clients will silently
       # fail. See the "scripts/xpextensions" file for
       # details, and the following page:
       #
       # http://support.microsoft.com/kb/814394/en-us
       #
       # For additional Windows XP SP2 issues, see:
       #
       # http://support.microsoft.com/kb/885453/en-us
       #
       #
       # If is still doesn't work, and you're using Samba,
       # you may be encountering a Samba bug. See:
       #
       # https://bugzilla.samba.org/show_bug.cgi?id=6563
       #
       # Note that we do not necessarily agree with their
       # explanation... but the fix does appear to work.
       #
       ##################################################
       #
       # The tunneled EAP session needs a default EAP type
       # which is separate from the one for the non-tunneled
       # EAP module. Inside of the TLS/PEAP tunnel, we
       # recommend using EAP-MS-CHAPv2.
       #
       # The PEAP module needs the TLS module to be installed
       # and configured, in order to use the TLS tunnel
       # inside of the EAP packet. You will still need to
       # configure the TLS module, even if you do not want
       # to deploy EAP-TLS in your network. Users will not
       # be able to request EAP-TLS, as it requires them to
       # have a client certificate. EAP-PEAP does not
       # require a client certificate.
       #
       #
       # You can make PEAP require a client cert by setting
       #
       # EAP-TLS-Require-Client-Cert = Yes
       #
       # in the control items for a request.
       #
       peap {
       # The tunneled EAP session needs a default
       # EAP type which is separate from the one for
       # the non-tunneled EAP module. Inside of the
       # PEAP tunnel, we recommend using MS-CHAPv2,
       # as that is the default type supported by
       # Windows clients.
       default_eap_type = mschapv2
       # the PEAP module also has these configuration
       # items, which are the same as for TTLS.
       copy_request_to_tunnel = no
       use_tunneled_reply = no
       # When the tunneled session is proxied, the
       # home server may not understand EAP-MSCHAP-V2.
       # Set this entry to "no" to proxy the tunneled
       # EAP-MSCHAP-V2 as normal MSCHAPv2.
       # proxy_tunneled_request_as_eap = yes
       #
       # The inner tunneled request can be sent
       # through a virtual server constructed
       # specifically for this purpose.
       #
       # If this entry is commented out, the inner
       # tunneled request will be sent through
       # the virtual server that processed the
       # outer requests.
       #
       virtual_server = "inner-tunnel"
       # This option enables support for MS-SoH
       # see doc/SoH.txt for more info.
       # It is disabled by default.
       #
      # soh = yes
       #
       # The SoH reply will be turned into a request which
       # can be sent to a specific virtual server:
       #
      # soh_virtual_server = "soh-server"
       }
       #
       # This takes no configuration.
       #
       # Note that it is the EAP MS-CHAPv2 sub-module, not
       # the main 'mschap' module.
       #
       # Note also that in order for this sub-module to work,
       # the main 'mschap' module MUST ALSO be configured.
       #
       # This module is the *Microsoft* implementation of MS-CHAPv2
       # in EAP. There is another (incompatible) implementation
       # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
       # currently support.
       #
       mschapv2 {
       # Prior to version 2.1.11, the module never
       # sent the MS-CHAP-Error message to the
       # client. This worked, but it had issues
       # when the cached password was wrong. The
       # server *should* send "E=691 R=0" to the
       # client, which tells it to prompt the user
       # for a new password.
       #
       # The default is to behave as in 2.1.10 and
       # earlier, which is known to work. If you
       # set "send_error = yes", then the error
       # message will be sent back to the client.
       # This *may* help some clients work better,
       # but *may* also cause other clients to stop
       # working.
       #
      # send_error = no
       }
       } 
      clients.conf
      # -*- text -*-
      ##
      ## clients.conf -- client configuration directives
      ##
      ## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
      #######################################################################
      #
      # Define RADIUS clients (usually a NAS, Access Point, etc.).
      #
      # Defines a RADIUS client.
      #
      # '127.0.0.1' is another name for 'localhost'. It is enabled by default,
      # to allow testing of the server after an initial installation. If you
      # are not going to be permitting RADIUS queries from localhost, we suggest
      # that you delete, or comment out, this entry.
      #
      #
      #
      # Each client has a "short name" that is used to distinguish it from
      # other clients.
      #
      # In version 1.x, the string after the word "client" was the IP
      # address of the client. In 2.0, the IP address is configured via
      # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
      # format is still accepted.
      #
      client localhost{
       # Allowed values are:
       # dotted quad (1.2.3.4)
       # hostname (radius.example.com)
       ipaddr = 127.0.0.1
       # OR, you can use an IPv6 address, but not both
       # at the same time.
      # ipv6addr = :: # any. ::1 == localhost
       #
       # A note on DNS: We STRONGLY recommend using IP addresses
       # rather than host names. Using host names means that the
       # server will do DNS lookups when it starts, making it
       # dependent on DNS. i.e. If anything goes wrong with DNS,
       # the server won't start!
       #
       # The server also looks up the IP address from DNS once, and
       # only once, when it starts. If the DNS record is later
       # updated, the server WILL NOT see that update.
       #
       # One client definition can be applied to an entire network.
       # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
       # "netmask = 8"
       #
       # If not specified, the default netmask is 32 (i.e. /32)
       #
       # We do NOT recommend using anything other than 32. There
       # are usually other, better ways to achieve the same goal.
       # Using netmasks of other than 32 can cause security issues.
       #
       # You can specify overlapping networks (127/8 and 127.0/16)
       # In that case, the smallest possible network will be used
       # as the "best match" for the client.
       #
       # Clients can also be defined dynamically at run time, based
       # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
       # etc.
       # See raddb/sites-available/dynamic-clients for details.
       #
      # netmask = 32
       #
       # The shared secret use to "encrypt" and "sign" packets between
       # the NAS and FreeRADIUS. You MUST change this secret from the
       # default, otherwise it's not a secret any more!
       #
       # The secret can be any string, up to 8k characters in length.
       #
       # Control codes can be entered vi octal encoding,
       # e.g. "101円102円" == "AB"
       # Quotation marks can be entered by escaping them,
       # e.g. "foo\"bar"
       #
       # A note on security: The security of the RADIUS protocol
       # depends COMPLETELY on this secret! We recommend using a
       # shared secret that is composed of:
       #
       # upper case letters
       # lower case letters
       # numbers
       #
       # And is at LEAST 8 characters long, preferably 16 characters in
       # length. The secret MUST be random, and should not be words,
       # phrase, or anything else that is recognizable.
       #
       # The default secret below is only for testing, and should
       # not be used in any real environment.
       #
       secret = testing123
       #
       # Old-style clients do not send a Message-Authenticator
       # in an Access-Request. RFC 5080 suggests that all clients
       # SHOULD include it in an Access-Request. The configuration
       # item below allows the server to require it. If a client
       # is required to include a Message-Authenticator and it does
       # not, then the packet will be silently discarded.
       #
       # allowed values: yes, no
       require_message_authenticator = no
       #
       # The short name is used as an alias for the fully qualified
       # domain name, or the IP address.
       #
       # It is accepted for compatibility with 1.x, but it is no
       # longer necessary in 2.0
       #
       shortname = localhost
       #
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous use checks
       #
       #
       # The nastype tells 'checkrad.pl' which NAS-specific method to
       # use to query the NAS for simultaneous use.
       #
       # Permitted NAS types are:
       #
       # cisco
       # computone
       # livingston
       # juniper
       # max40xx
       # multitech
       # netserver
       # pathras
       # patton
       # portslave
       # tc
       # usrhiper
       # other # for all other types
       #
       nastype = other
       # localhost isn't usually a NAS...
       #
       # The following two configurations are for future use.
       # The 'naspasswd' file is currently used to store the NAS
       # login name and password, which is used by checkrad.pl
       # when querying the NAS for simultaneous use.
       #
      # login = !root
      # password = someadminpas
       #
       # As of 2.0, clients can also be tied to a virtual server.
       # This is done by setting the "virtual_server" configuration
       # item, as in the example below.
       #
      # virtual_server = home1
       #
       # A pointer to the "home_server_pool" OR a "home_server"
       # section that contains the CoA configuration for this
       # client. For an example of a coa home server or pool,
       # see raddb/sites-available/originate-coa
      # coa_server = coa
      }
      # IPv6 Client
      #client ::1 {
      # secret = testing123
      # shortname = localhost
      #}
      #
      # All IPv6 Site-local clients
      #client fe80::/16 {
      # secret = testing123
      # shortname = localhost
      #}
      #client some.host.org {
      # secret = testing123
      # shortname = localhost
      #}
      #
      # You can now specify one secret for a network of clients.
      # When a client request comes in, the BEST match is chosen.
      # i.e. The entry from the smallest possible network.
      #
      #client 192.168.0.0/24 {
      # secret = testing123-1
      # shortname = private-network-1
      #}
      #
      #client 192.168.0.0/16 {
      # secret = testing123-2
      # shortname = private-network-2
      #}
      client 127.0.0.1 {
      secret = testing123
      shortname = localhost
      nastype = other
      }
      #client 10.10.10.10 {
      # # secret and password are mapped through the "secrets" file.
      # secret = testing123
      # shortname = liv1
      # # the following three fields are optional, but may be used by
      # # checkrad.pl for simultaneous usage checks
      # nastype = livingston
      # login = !root
      # password = someadminpas
      #}
      #######################################################################
      #
      # Per-socket client lists. The configuration entries are exactly
      # the same as above, but they are nested inside of a section.
      #
      # You can have as many per-socket client lists as you have "listen"
      # sections, or you can re-use a list among multiple "listen" sections.
      #
      # Un-comment this section, and edit a "listen" section to add:
      # "clients = per_socket_clients". That IP address/port combination
      # will then accept ONLY the clients listed in this section.
      #
      #clients per_socket_clients {
      # client 192.168.3.4 {
      # secret = testing123
      # }
      #}
      ---radiusd.conf (j'ai pas modifiee le fichier)
      ----users # fergis Auth-Type := local, User-Password == "fergisuriel"
      #
      # Please read the documentation file ../doc/processing_users_file,
      # or 'man 5 users' (after installing the server) for more information.
      #
      # This file contains authentication security and configuration
      # information for each user. Accounting requests are NOT processed
      # through this file. Instead, see 'acct_users', in this directory.
      #
      # The first field is the user's name and can be up to
      # 253 characters in length. This is followed (on the same line) with
      # the list of authentication requirements for that user. This can
      # include password, comm server name, comm server port number, protocol
      # type (perhaps set by the "hints" file), and huntgroup name (set by
      # the "huntgroups" file).
      #
      # If you are not sure why a particular reply is being sent by the
      # server, then run the server in debugging mode (radiusd -X), and
      # you will see which entries in this file are matched.
      #
      # When an authentication request is received from the comm server,
      # these values are tested. Only the first match is used unless the
      # "Fall-Through" variable is set to "Yes".
      #
      # A special user named "DEFAULT" matches on all usernames.
      # You can have several DEFAULT entries. All entries are processed
      # in the order they appear in this file. The first entry that
      # matches the login-request will stop processing unless you use
      # the Fall-Through variable.
      #
      # If you use the database support to turn this file into a .db or .dbm
      # file, the DEFAULT entries _have_ to be at the end of this file and
      # you can't have multiple entries for one username.
      #
      # Indented (with the tab character) lines following the first
      # line indicate the configuration values to be passed back to
      # the comm server to allow the initiation of a user session.
      # This can include things like the PPP configuration values
      # or the host to log the user onto.
      #
      # You can include another `users' file with `$INCLUDE users.other'
      #
      #
      # For a list of RADIUS attributes, and links to their definitions,
      # see:
      #
      # http://www.freeradius.org/rfc/attributes.html
      #
      #
      # Deny access for a specific user. Note that this entry MUST
      # be before any other 'Auth-Type' attribute which results in the user
      # being authenticated.
      #
      # Note that there is NO 'Fall-Through' attribute, so the user will not
      # be given any additional resources.
      #
       "localhost" Auth-Type := EAP
       "localhost" cleartext-password := "fergisuriel"
      # Reply-Message = "Your account has been disabled."
      #
      # Deny access for a group of users.
      #
      # Note that there is NO 'Fall-Through' attribute, so the user will not
      # be given any additional resources.
      #
      #DEFAULT Group == "disabled", Auth-Type := Reject
      # Reply-Message = "Your account has been disabled."
      #
      #
      # This is a complete entry for "steve". Note that there is no Fall-Through
      # entry so that no DEFAULT entry will be used, and the user will NOT
      # get any attributes in addition to the ones listed here.
      #
      #steve Cleartext-Password := "testing"
      # Service-Type = Framed-User,
      # Framed-Protocol = PPP,
      # Framed-IP-Address = 172.16.3.33,
      # Framed-IP-Netmask = 255.255.255.0,
      # Framed-Routing = Broadcast-Listen,
      # Framed-Filter-Id = "std.ppp",
      # Framed-MTU = 1500,
      # Framed-Compression = Van-Jacobsen-TCP-IP
      #
      # This is an entry for a user with a space in their name.
      # Note the double quotes surrounding the name.
      #
      #"John Doe" Cleartext-Password := "hello"
      # Reply-Message = "Hello, %{User-Name}"
      #
      # Dial user back and telnet to the default host for that port
      #
      #Deg Cleartext-Password := "ge55ged"
      # Service-Type = Callback-Login-User,
      # Login-IP-Host = 0.0.0.0,
      # Callback-Number = "9,5551212",
      # Login-Service = Telnet,
      # Login-TCP-Port = Telnet
      #
      # Another complete entry. After the user "dialbk" has logged in, the
      # connection will be broken and the user will be dialed back after which
      # he will get a connection to the host "timeshare1".
      #
      #dialbk Cleartext-Password := "callme"
      # Service-Type = Callback-Login-User,
      # Login-IP-Host = timeshare1,
      # Login-Service = PortMaster,
      # Callback-Number = "9,1-800-555-1212"
      #
      # user "swilson" will only get a static IP number if he logs in with
      # a framed protocol on a terminal server in Alphen (see the huntgroups file).
      #
      # Note that by setting "Fall-Through", other attributes will be added from
      # the following DEFAULT entries
      #
      #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
      # Framed-IP-Address = 192.168.1.65,
      # Fall-Through = Yes
      #
      # If the user logs in as 'username.shell', then authenticate them
      # using the default method, give them shell access, and stop processing
      # the rest of the file.
      #
      #DEFAULT Suffix == ".shell"
      # Service-Type = Login-User,
      # Login-Service = Telnet,
      # Login-IP-Host = your.shell.machine
      #
      # The rest of this file contains the several DEFAULT entries.
      # DEFAULT entries match with all login names.
      # Note that DEFAULT entries can also Fall-Through (see first entry).
      # A name-value pair from a DEFAULT entry will _NEVER_ override
      # an already existing name-value pair.
      #
      #
      # Set up different IP address pools for the terminal servers.
      # Note that the "+" behind the IP address means that this is the "base"
      # IP address. The Port-Id (S0, S1 etc) will be added to it.
      #
      #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
      # Framed-IP-Address = 192.168.1.32+,
      # Fall-Through = Yes
      #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
      # Framed-IP-Address = 192.168.2.32+,
      # Fall-Through = Yes
      #
      # Sample defaults for all framed connections.
      #
      #DEFAULT Service-Type == Framed-User
      # Framed-IP-Address = 255.255.255.254,
      # Framed-MTU = 576,
      # Service-Type = Framed-User,
      # Fall-Through = Yes
      #
      # Default for PPP: dynamic IP address, PPP mode, VJ-compression.
      # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
      # by the terminal server in which case there may not be a "P" suffix.
      # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
      #
      DEFAULT Framed-Protocol == PPP
       Framed-Protocol = PPP,
       Framed-Compression = Van-Jacobson-TCP-IP
      #
      # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
      #
      DEFAULT Hint == "CSLIP"
       Framed-Protocol = SLIP,
       Framed-Compression = Van-Jacobson-TCP-IP
      #
      # Default for SLIP: dynamic IP address, SLIP mode.
      #
      DEFAULT Hint == "SLIP"
       Framed-Protocol = SLIP
      #
      # Last default: rlogin to our main server.
      #
      #DEFAULT
      # Service-Type = Login-User,
      # Login-Service = Rlogin,
      # Login-IP-Host = shellbox.ispdomain.com
      # #
      # # Last default: shell on the local terminal server.
      # #
      # DEFAULT
      # Service-Type = Administrative-User
      # On no match, the user is denied access.
      

      ok jespere que tu auras pas les maux de tete avec tout ca. merci

      • [^] # Re: Certificat

        Posté par . Évalué à 3.

        rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem

        error reading ne veut pas dire que le fichier n'existe pas,
        juste que le programme ne peut pas le lire

        generalement c'est un probleme de droit d'acces à ce fichier (mauvais propriétaire, mauvais groupe par rapport à l'utilisateur qui est utilisé par raddb)

Suivre le flux des commentaires

Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.