• [^] # Re: Certificat

    Posté par . En réponse au message erreur radius. Évalué à 0. Dernière modification le 30 juillet 2016 à 17:57.

    ~~OS et logiciels impliques
    - Linux debian wheezy 7.0.0 amd 64 pour le serveur
    - Windows XP, 7 pour les postes clients
    - openssl-1.0.0s.tar.gz
    - freeradius-server-2.2.2 .tar.gz

    ce que je veux faire:Contribution à l’amélioration de la sécurité d’un réseau wifi au moyen d'un serveur d’authentification RADIUS sous Debian

    le problème:quand je lance la commande radiusd -x je reçois vers la fin un message d'erreur que voici :

    rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
    rlm_eap_tls: Error reading certificate file /usr/local/openssl-certgen/ssl/certs/serveur.pem
    rlm_eap: Failed to initialize type tls
    /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
    /usr/local/etc/raddb/sites-enabled/default[310]: Failed to find "eap" in the "modules" section.
    /usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 
    

    or j'ai compilé tous les certificats (xpextensions, CA.root, CA.svr, CA.clt) dans le dossier « /usr/local/openssl-certgen/ssl/certs » ce qui me donne les fichiers demoCA fergis.der fergis.p12 fergis.pem newcert.pem root.der root.p12 root.pem serveur.der serveur.p12 serveur.pem xpextensions

    a noter qu'ici le client=fergis

    /usr/local/etc/raddb# ce dossier contient les fichiers eap.conf ; clients.conf; radiusd.conf et users que j'ai modifié .

    un apercu: eap.conf

    # -*- text -*-
    ##
    ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
    ##
    ## $Id: d2c2b658bed01c345e9e34d7420a5d0e5541eeae $
    #######################################################################
    #
    # Whatever you do, do NOT set 'Auth-Type := EAP'. The server
    # is smart enough to figure this out on its own. The most
    # common side effect of setting 'Auth-Type := EAP' is that the
    # users then cannot use ANY other authentication method.
    #
    # EAP types NOT listed here may be supported via the "eap2" module.
    # See experimental.conf for documentation.
    #
     eap {
     # Invoke the default supported EAP type when
     # EAP-Identity response is received.
     #
     # The incoming EAP messages DO NOT specify which EAP
     # type they will be using, so it MUST be set here.
     #
     # For now, only one default EAP type may be used at a time.
     #
     # If the EAP-Type attribute is set by another module,
     # then that EAP type takes precedence over the
     # default type configured here.
     #
     default_eap_type = tls
     # A list is maintained to correlate EAP-Response
     # packets with EAP-Request packets. After a
     # configurable length of time, entries in the list
     # expire, and are deleted.
     #
     timer_expire = 60
     # There are many EAP types, but the server has support
     # for only a limited subset. If the server receives
     # a request for an EAP type it does not support, then
     # it normally rejects the request. By setting this
     # configuration to "yes", you can tell the server to
     # instead keep processing the request. Another module
     # MUST then be configured to proxy the request to
     # another RADIUS server which supports that EAP type.
     #
     # If another module is NOT configured to handle the
     # request, then the request will still end up being
     # rejected.
     ignore_unknown_eap_types = no
     # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
     # a User-Name attribute in an Access-Accept, it copies one
     # more byte than it should.
     #
     # We can work around it by configurably adding an extra
     # zero byte.
     cisco_accounting_username_bug = no
     #
     # Help prevent DoS attacks by limiting the number of
     # sessions that the server is tracking. Most systems
     # can handle ~30 EAP sessions/s, so the default limit
     # of 4096 should be OK.
     max_sessions = 4096
     # Supported EAP-types
     #
     # We do NOT recommend using EAP-MD5 authentication
     # for wireless connections. It is insecure, and does
     # not provide for dynamic WEP keys.
     #
    md5{
     }
     # Cisco LEAP
     #
     # We do not recommend using LEAP in new deployments. See:
     # http://www.securiteam.com/tools/5TP012ACKE.html
     #
     # Cisco LEAP uses the MS-CHAP algorithm (but not
     # the MS-CHAP attributes) to perform it's authentication.
     #
     # As a result, LEAP *requires* access to the plain-text
     # User-Password, or the NT-Password attributes.
     # 'System' authentication is impossible with LEAP.
     #
     leap {
     }
     # Generic Token Card.
     #
     # Currently, this is only permitted inside of EAP-TTLS,
     # or EAP-PEAP. The module "challenges" the user with
     # text, and the response from the user is taken to be
     # the User-Password.
     #
     # Proxying the tunneled EAP-GTC session is a bad idea,
     # the users password will go over the wire in plain-text,
     # for anyone to see.
     #
     gtc {
     # The default challenge, which many clients
     # ignore..
     #challenge = "Password: "
     # The plain-text response which comes back
     # is put into a User-Password attribute,
     # and passed to another module for
     # authentication. This allows the EAP-GTC
     # response to be checked against plain-text,
     # or crypt'd passwords.
     #
     # If you say "Local" instead of "PAP", then
     # the module will look for a User-Password
     # configured for the request, and do the
     # authentication itself.
     #
     auth_type = PAP
     }
     ## EAP-TLS
     #
     # See raddb/certs/README for additional comments
     # on certificates.
     #
     # If OpenSSL was not found at the time the server was
     # built, the "tls", "ttls", and "peap" sections will
     # be ignored.
     #
     # Otherwise, when the server first starts in debugging
     # mode, test certificates will be created. See the
     # "make_cert_command" below for details, and the README
     # file in raddb/certs
     #
     # These test certificates SHOULD NOT be used in a normal
     # deployment. They are created only to make it easier
     # to install the server, and to perform some simple
     # tests with EAP-TLS, TTLS, or PEAP.
     #
     # See also:
     #
     # http://www.dslreports.com/forum/remark,9286052~mode=flat
     #
     # Note that you should NOT use a globally known CA here!
     # e.g. using a Verisign cert as a "known CA" means that
     # ANYONE who has a certificate signed by them can
     # authenticate via EAP-TLS! This is likely not what you want.
     tls {
     #
     # These is used to simplify later configurations.
     #
     certdir =/usr/local/openssl-certgen/ssl/certs
     cadir =/usr/local/openssl-certgen/ssl/certs 
     certdir = ${confdir}/certs
     cadir = ${confdir}/certs
     private_key_password = fergisuriel
     private_key_file = ${certdir}/serveur.pem
     # If Private key & Certificate are located in
     # the same file, then private_key_file &
     # certificate_file must contain the same file
     # name.
     #
     # If CA_file (below) is not used, then the
     # certificate_file below MUST include not
     # only the server certificate, but ALSO all
     # of the CA certificates used to sign the
     # server certificate.
     certificate_file = /usr/local/openssl-certgen/ssl/certs/serveur.pem
     # Trusted Root CA list
     #
     # ALL of the CA's in this list will be trusted
     # to issue client certificates for authentication.
     #
     # In general, you should use self-signed
     # certificates for 802.1x (EAP) authentication.
     # In that case, this CA file should contain
     # *one* CA certificate.
     #
     # This parameter is used only for EAP-TLS,
     # when you issue client certificates. If you do
     # not use client certificates, and you do not want
     # to permit EAP-TLS authentication, then delete
     # this configuration item.
     CA_file = /usr/local/openssl-certgen/ssl/certs/root.pem
     #
     # For DH cipher suites to work, you have to
     # run OpenSSL to create the DH file first:
     #
     # openssl dhparam -out certs/dh 1024
     #
     dh_file = ${certdir}/dh
     #
     # If your system doesn't have /dev/urandom,
     # you will need to create this file, and
     # periodically change its contents.
     #
     # For security reasons, FreeRADIUS doesn't
     # write to files in its configuration
     # directory.
     #
     random_file = ${certdir}/random
     #
     # This can never exceed the size of a RADIUS
     # packet (4096 bytes), and is preferably half
     # that, to accomodate other attributes in
     # RADIUS packet. On most APs the MAX packet
     # length is configured between 1500 - 1600
     # In these cases, fragment size should be
     # 1024 or less.
     #
     fragment_size = 1024
     # include_length is a flag which is
     # by default set to yes If set to
     # yes, Total Length of the message is
     # included in EVERY packet we send.
     # If set to no, Total Length of the
     # message is included ONLY in the
     # First packet of a fragment series.
     #
     include_length = yes
     # Check the Certificate Revocation List
     #
     # 1) Copy CA certificates and CRLs to same directory.
     # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
     # 'c_rehash' is OpenSSL's command.
     # 3) uncomment the line below.
     # 5) Restart radiusd
     # check_crl = yes
     CA_path = ${cadir}
     #
     # If check_cert_issuer is set, the value will
     # be checked against the DN of the issuer in
     # the client certificate. If the values do not
     # match, the cerficate verification will fail,
     # rejecting the user.
     #
     # In 2.1.10 and later, this check can be done
     # more generally by checking the value of the
     # TLS-Client-Cert-Issuer attribute. This check
     # can be done via any mechanism you choose.
     #
     # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
     #
     # If check_cert_cn is set, the value will
     # be xlat'ed and checked against the CN
     # in the client certificate. If the values
     # do not match, the certificate verification
     # will fail rejecting the user.
     #
     # This check is done only if the previous
     # "check_cert_issuer" is not set, or if
     # the check succeeds.
     #
     # In 2.1.10 and later, this check can be done
     # more generally by checking the value of the
     # TLS-Client-Cert-CN attribute. This check
     # can be done via any mechanism you choose.
     #
     check_cert_cn = %{User-Name}
     #
     # Set this option to specify the allowed
     # TLS cipher suites. The format is listed
     # in "man 1 ciphers".
     cipher_list = "DEFAULT"
     #
     # As part of checking a client certificate, the EAP-TLS
     # sets some attributes such as TLS-Client-Cert-CN. This
     # virtual server has access to these attributes, and can
     # be used to accept or reject the request.
     #
     # virtual_server = check-eap-tls
     # This command creates the initial "snake oil"
     # certificates when the server is run as root,
     # and via "radiusd -X".
     #
     # As of 2.1.11, it *also* checks the server
     # certificate for validity, including expiration.
     # This means that radiusd will refuse to start
     # when the certificate has expired. The alternative
     # is to have the 802.1X clients refuse to connect
     # when they discover the certificate has expired.
     #
     # Debugging client issues is hard, so it's better
     # for the server to print out an error message,
     # and refuse to start.
     #
     make_cert_command = "${certdir}/bootstrap"
     #
     # Elliptical cryptography configuration
     #
     # Only for OpenSSL >= 0.9.8.f
     #
     ecdh_curve = "prime256v1"
     #
     # Session resumption / fast reauthentication
     # cache.
     #
     # The cache contains the following information:
     #
     # session Id - unique identifier, managed by SSL
     # User-Name - from the Access-Accept
     # Stripped-User-Name - from the Access-Request
     # Cached-Session-Policy - from the Access-Accept
     #
     # The "Cached-Session-Policy" is the name of a
     # policy which should be applied to the cached
     # session. This policy can be used to assign
     # VLANs, IP addresses, etc. It serves as a useful
     # way to re-apply the policy from the original
     # Access-Accept to the subsequent Access-Accept
     # for the cached session.
     #
     # On session resumption, these attributes are
     # copied from the cache, and placed into the
     # reply list.
     #
     # You probably also want "use_tunneled_reply = yes"
     # when using fast session resumption.
     #
     cache {
     #
     # Enable it. The default is "no".
     # Deleting the entire "cache" subsection
     # Also disables caching.
     #
     # You can disallow resumption for a
     # particular user by adding the following
     # attribute to the control item list:
     #
     # Allow-Session-Resumption = No
     #
     # If "enable = no" below, you CANNOT
     # enable resumption for just one user
     # by setting the above attribute to "yes".
     #
     enable = no
     #
     # Lifetime of the cached entries, in hours.
     # The sessions will be deleted after this
     # time.
     #
     lifetime = 24 # hours
     #
     # The maximum number of entries in the
     # cache. Set to "0" for "infinite".
     #
     # This could be set to the number of users
     # who are logged in... which can be a LOT.
     #
     max_entries = 255
     }
     #
     # As of version 2.1.10, client certificates can be
     # validated via an external command. This allows
     # dynamic CRLs or OCSP to be used.
     #
     # This configuration is commented out in the
     # default configuration. Uncomment it, and configure
     # the correct paths below to enable it.
     #
     verify {
     # A temporary directory where the client
     # certificates are stored. This directory
     # MUST be owned by the UID of the server,
     # and MUST not be accessible by any other
     # users. When the server starts, it will do
     # "chmod go-rwx" on the directory, for
     # security reasons. The directory MUST
     # exist when the server starts.
     #
     # You should also delete all of the files
     # in the directory when the server starts.
     # tmpdir = /tmp/radiusd
     # The command used to verify the client cert.
     # We recommend using the OpenSSL command-line
     # tool.
     #
     # The ${..CA_path} text is a reference to
     # the CA_path variable defined above.
     #
     # The %{TLS-Client-Cert-Filename} is the name
     # of the temporary file containing the cert
     # in PEM format. This file is automatically
     # deleted by the server when the command
     # returns.
     # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
     }
     #
     # OCSP Configuration
     # Certificates can be verified against an OCSP
     # Responder. This makes it possible to immediately
     # revoke certificates without the distribution of
     # new Certificate Revokation Lists (CRLs).
     #
     ocsp {
     #
     # Enable it. The default is "no".
     # Deleting the entire "ocsp" subsection
     # Also disables ocsp checking
     #
     enable = no
     #
     # The OCSP Responder URL can be automatically
     # extracted from the certificate in question.
     # To override the OCSP Responder URL set
     # "override_cert_url = yes". 
     #
     override_cert_url = yes
     #
     # If the OCSP Responder address is not
     # extracted from the certificate, the
     # URL can be defined here.
     #
     # Limitation: Currently the HTTP
     # Request is not sending the "Host: "
     # information to the web-server. This
     # can be a problem if the OCSP
     # Responder is running as a vhost.
     #
     url = "http://127.0.0.1/ocsp/"
     #
     # If the OCSP Responder can not cope with nonce
     # in the request, then it can be disabled here.
     #
     # For security reasons, disabling this option
     # is not recommended as nonce protects against
     # replay attacks.
     #
     # Note that Microsoft AD Certificate Services OCSP
     # Responder does not enable nonce by default. It is
     # more secure to enable nonce on the responder than
     # to disable it in the query here.
     # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
     #
     # use_nonce = yes
     #
     # Number of seconds before giving up waiting
     # for OCSP response. 0 uses system default.
     #
     # timeout = 0
     #
     # Normally an error in querying the OCSP
     # responder (no response from server, server did
     # not understand the request, etc) will result in
     # a validation failure.
     #
     # To treat these errors as 'soft' failures and
     # still accept the certificate, enable this
     # option.
     # 
     # Warning: this may enable clients with revoked
     # certificates to connect if the OCSP responder
     # is not available. Use with caution.
     #
     # softfail = no
     }
     }
     # The TTLS module implements the EAP-TTLS protocol,
     # which can be described as EAP inside of Diameter,
     # inside of TLS, inside of EAP, inside of RADIUS...
     #
     # Surprisingly, it works quite well.
     #
     # The TTLS module needs the TLS module to be installed
     # and configured, in order to use the TLS tunnel
     # inside of the EAP packet. You will still need to
     # configure the TLS module, even if you do not want
     # to deploy EAP-TLS in your network. Users will not
     # be able to request EAP-TLS, as it requires them to
     # have a client certificate. EAP-TTLS does not
     # require a client certificate.
     #
     # You can make TTLS require a client cert by setting
     #
     # EAP-TLS-Require-Client-Cert = Yes
     #
     # in the control items for a request.
     #
     ttls {
     # The tunneled EAP session needs a default
     # EAP type which is separate from the one for
     # the non-tunneled EAP module. Inside of the
     # TTLS tunnel, we recommend using EAP-MD5.
     # If the request does not contain an EAP
     # conversation, then this configuration entry
     # is ignored.
     default_eap_type = md5
     # The tunneled authentication request does
     # not usually contain useful attributes
     # like 'Calling-Station-Id', etc. These
     # attributes are outside of the tunnel,
     # and normally unavailable to the tunneled
     # authentication request.
     #
     # By setting this configuration entry to
     # 'yes', any attribute which NOT in the
     # tunneled authentication request, but
     # which IS available outside of the tunnel,
     # is copied to the tunneled request.
     #
     # allowed values: {no, yes}
     copy_request_to_tunnel = no
     # The reply attributes sent to the NAS are
     # usually based on the name of the user
     # 'outside' of the tunnel (usually
     # 'anonymous'). If you want to send the
     # reply attributes based on the user name
     # inside of the tunnel, then set this
     # configuration entry to 'yes', and the reply
     # to the NAS will be taken from the reply to
     # the tunneled request.
     #
     # allowed values: {no, yes}
     use_tunneled_reply = no
     #
     # The inner tunneled request can be sent
     # through a virtual server constructed
     # specifically for this purpose.
     #
     # If this entry is commented out, the inner
     # tunneled request will be sent through
     # the virtual server that processed the
     # outer requests.
     #
     virtual_server = "inner-tunnel"
     # This has the same meaning as the
     # same field in the "tls" module, above.
     # The default value here is "yes".
     # include_length = yes
     }
     ##################################################
     #
     # !!!!! WARNINGS for Windows compatibility !!!!!
     #
     ##################################################
     #
     # If you see the server send an Access-Challenge,
     # and the client never sends another Access-Request,
     # then
     #
     # STOP!
     #
     # The server certificate has to have special OID's
     # in it, or else the Microsoft clients will silently
     # fail. See the "scripts/xpextensions" file for
     # details, and the following page:
     #
     # http://support.microsoft.com/kb/814394/en-us
     #
     # For additional Windows XP SP2 issues, see:
     #
     # http://support.microsoft.com/kb/885453/en-us
     #
     #
     # If is still doesn't work, and you're using Samba,
     # you may be encountering a Samba bug. See:
     #
     # https://bugzilla.samba.org/show_bug.cgi?id=6563
     #
     # Note that we do not necessarily agree with their
     # explanation... but the fix does appear to work.
     #
     ##################################################
     #
     # The tunneled EAP session needs a default EAP type
     # which is separate from the one for the non-tunneled
     # EAP module. Inside of the TLS/PEAP tunnel, we
     # recommend using EAP-MS-CHAPv2.
     #
     # The PEAP module needs the TLS module to be installed
     # and configured, in order to use the TLS tunnel
     # inside of the EAP packet. You will still need to
     # configure the TLS module, even if you do not want
     # to deploy EAP-TLS in your network. Users will not
     # be able to request EAP-TLS, as it requires them to
     # have a client certificate. EAP-PEAP does not
     # require a client certificate.
     #
     #
     # You can make PEAP require a client cert by setting
     #
     # EAP-TLS-Require-Client-Cert = Yes
     #
     # in the control items for a request.
     #
     peap {
     # The tunneled EAP session needs a default
     # EAP type which is separate from the one for
     # the non-tunneled EAP module. Inside of the
     # PEAP tunnel, we recommend using MS-CHAPv2,
     # as that is the default type supported by
     # Windows clients.
     default_eap_type = mschapv2
     # the PEAP module also has these configuration
     # items, which are the same as for TTLS.
     copy_request_to_tunnel = no
     use_tunneled_reply = no
     # When the tunneled session is proxied, the
     # home server may not understand EAP-MSCHAP-V2.
     # Set this entry to "no" to proxy the tunneled
     # EAP-MSCHAP-V2 as normal MSCHAPv2.
     # proxy_tunneled_request_as_eap = yes
     #
     # The inner tunneled request can be sent
     # through a virtual server constructed
     # specifically for this purpose.
     #
     # If this entry is commented out, the inner
     # tunneled request will be sent through
     # the virtual server that processed the
     # outer requests.
     #
     virtual_server = "inner-tunnel"
     # This option enables support for MS-SoH
     # see doc/SoH.txt for more info.
     # It is disabled by default.
     #
    # soh = yes
     #
     # The SoH reply will be turned into a request which
     # can be sent to a specific virtual server:
     #
    # soh_virtual_server = "soh-server"
     }
     #
     # This takes no configuration.
     #
     # Note that it is the EAP MS-CHAPv2 sub-module, not
     # the main 'mschap' module.
     #
     # Note also that in order for this sub-module to work,
     # the main 'mschap' module MUST ALSO be configured.
     #
     # This module is the *Microsoft* implementation of MS-CHAPv2
     # in EAP. There is another (incompatible) implementation
     # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
     # currently support.
     #
     mschapv2 {
     # Prior to version 2.1.11, the module never
     # sent the MS-CHAP-Error message to the
     # client. This worked, but it had issues
     # when the cached password was wrong. The
     # server *should* send "E=691 R=0" to the
     # client, which tells it to prompt the user
     # for a new password.
     #
     # The default is to behave as in 2.1.10 and
     # earlier, which is known to work. If you
     # set "send_error = yes", then the error
     # message will be sent back to the client.
     # This *may* help some clients work better,
     # but *may* also cause other clients to stop
     # working.
     #
    # send_error = no
     }
     } 
    clients.conf
    # -*- text -*-
    ##
    ## clients.conf -- client configuration directives
    ##
    ## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
    #######################################################################
    #
    # Define RADIUS clients (usually a NAS, Access Point, etc.).
    #
    # Defines a RADIUS client.
    #
    # '127.0.0.1' is another name for 'localhost'. It is enabled by default,
    # to allow testing of the server after an initial installation. If you
    # are not going to be permitting RADIUS queries from localhost, we suggest
    # that you delete, or comment out, this entry.
    #
    #
    #
    # Each client has a "short name" that is used to distinguish it from
    # other clients.
    #
    # In version 1.x, the string after the word "client" was the IP
    # address of the client. In 2.0, the IP address is configured via
    # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
    # format is still accepted.
    #
    client localhost{
     # Allowed values are:
     # dotted quad (1.2.3.4)
     # hostname (radius.example.com)
     ipaddr = 127.0.0.1
     # OR, you can use an IPv6 address, but not both
     # at the same time.
    # ipv6addr = :: # any. ::1 == localhost
     #
     # A note on DNS: We STRONGLY recommend using IP addresses
     # rather than host names. Using host names means that the
     # server will do DNS lookups when it starts, making it
     # dependent on DNS. i.e. If anything goes wrong with DNS,
     # the server won't start!
     #
     # The server also looks up the IP address from DNS once, and
     # only once, when it starts. If the DNS record is later
     # updated, the server WILL NOT see that update.
     #
     # One client definition can be applied to an entire network.
     # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
     # "netmask = 8"
     #
     # If not specified, the default netmask is 32 (i.e. /32)
     #
     # We do NOT recommend using anything other than 32. There
     # are usually other, better ways to achieve the same goal.
     # Using netmasks of other than 32 can cause security issues.
     #
     # You can specify overlapping networks (127/8 and 127.0/16)
     # In that case, the smallest possible network will be used
     # as the "best match" for the client.
     #
     # Clients can also be defined dynamically at run time, based
     # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
     # etc.
     # See raddb/sites-available/dynamic-clients for details.
     #
    # netmask = 32
     #
     # The shared secret use to "encrypt" and "sign" packets between
     # the NAS and FreeRADIUS. You MUST change this secret from the
     # default, otherwise it's not a secret any more!
     #
     # The secret can be any string, up to 8k characters in length.
     #
     # Control codes can be entered vi octal encoding,
     # e.g. "101円102円" == "AB"
     # Quotation marks can be entered by escaping them,
     # e.g. "foo\"bar"
     #
     # A note on security: The security of the RADIUS protocol
     # depends COMPLETELY on this secret! We recommend using a
     # shared secret that is composed of:
     #
     # upper case letters
     # lower case letters
     # numbers
     #
     # And is at LEAST 8 characters long, preferably 16 characters in
     # length. The secret MUST be random, and should not be words,
     # phrase, or anything else that is recognizable.
     #
     # The default secret below is only for testing, and should
     # not be used in any real environment.
     #
     secret = testing123
     #
     # Old-style clients do not send a Message-Authenticator
     # in an Access-Request. RFC 5080 suggests that all clients
     # SHOULD include it in an Access-Request. The configuration
     # item below allows the server to require it. If a client
     # is required to include a Message-Authenticator and it does
     # not, then the packet will be silently discarded.
     #
     # allowed values: yes, no
     require_message_authenticator = no
     #
     # The short name is used as an alias for the fully qualified
     # domain name, or the IP address.
     #
     # It is accepted for compatibility with 1.x, but it is no
     # longer necessary in 2.0
     #
     shortname = localhost
     #
     # the following three fields are optional, but may be used by
     # checkrad.pl for simultaneous use checks
     #
     #
     # The nastype tells 'checkrad.pl' which NAS-specific method to
     # use to query the NAS for simultaneous use.
     #
     # Permitted NAS types are:
     #
     # cisco
     # computone
     # livingston
     # juniper
     # max40xx
     # multitech
     # netserver
     # pathras
     # patton
     # portslave
     # tc
     # usrhiper
     # other # for all other types
     #
     nastype = other
     # localhost isn't usually a NAS...
     #
     # The following two configurations are for future use.
     # The 'naspasswd' file is currently used to store the NAS
     # login name and password, which is used by checkrad.pl
     # when querying the NAS for simultaneous use.
     #
    # login = !root
    # password = someadminpas
     #
     # As of 2.0, clients can also be tied to a virtual server.
     # This is done by setting the "virtual_server" configuration
     # item, as in the example below.
     #
    # virtual_server = home1
     #
     # A pointer to the "home_server_pool" OR a "home_server"
     # section that contains the CoA configuration for this
     # client. For an example of a coa home server or pool,
     # see raddb/sites-available/originate-coa
    # coa_server = coa
    }
    # IPv6 Client
    #client ::1 {
    # secret = testing123
    # shortname = localhost
    #}
    #
    # All IPv6 Site-local clients
    #client fe80::/16 {
    # secret = testing123
    # shortname = localhost
    #}
    #client some.host.org {
    # secret = testing123
    # shortname = localhost
    #}
    #
    # You can now specify one secret for a network of clients.
    # When a client request comes in, the BEST match is chosen.
    # i.e. The entry from the smallest possible network.
    #
    #client 192.168.0.0/24 {
    # secret = testing123-1
    # shortname = private-network-1
    #}
    #
    #client 192.168.0.0/16 {
    # secret = testing123-2
    # shortname = private-network-2
    #}
    client 127.0.0.1 {
    secret = testing123
    shortname = localhost
    nastype = other
    }
    #client 10.10.10.10 {
    # # secret and password are mapped through the "secrets" file.
    # secret = testing123
    # shortname = liv1
    # # the following three fields are optional, but may be used by
    # # checkrad.pl for simultaneous usage checks
    # nastype = livingston
    # login = !root
    # password = someadminpas
    #}
    #######################################################################
    #
    # Per-socket client lists. The configuration entries are exactly
    # the same as above, but they are nested inside of a section.
    #
    # You can have as many per-socket client lists as you have "listen"
    # sections, or you can re-use a list among multiple "listen" sections.
    #
    # Un-comment this section, and edit a "listen" section to add:
    # "clients = per_socket_clients". That IP address/port combination
    # will then accept ONLY the clients listed in this section.
    #
    #clients per_socket_clients {
    # client 192.168.3.4 {
    # secret = testing123
    # }
    #}
    ---radiusd.conf (j'ai pas modifiee le fichier)
    ----users # fergis Auth-Type := local, User-Password == "fergisuriel"
    #
    # Please read the documentation file ../doc/processing_users_file,
    # or 'man 5 users' (after installing the server) for more information.
    #
    # This file contains authentication security and configuration
    # information for each user. Accounting requests are NOT processed
    # through this file. Instead, see 'acct_users', in this directory.
    #
    # The first field is the user's name and can be up to
    # 253 characters in length. This is followed (on the same line) with
    # the list of authentication requirements for that user. This can
    # include password, comm server name, comm server port number, protocol
    # type (perhaps set by the "hints" file), and huntgroup name (set by
    # the "huntgroups" file).
    #
    # If you are not sure why a particular reply is being sent by the
    # server, then run the server in debugging mode (radiusd -X), and
    # you will see which entries in this file are matched.
    #
    # When an authentication request is received from the comm server,
    # these values are tested. Only the first match is used unless the
    # "Fall-Through" variable is set to "Yes".
    #
    # A special user named "DEFAULT" matches on all usernames.
    # You can have several DEFAULT entries. All entries are processed
    # in the order they appear in this file. The first entry that
    # matches the login-request will stop processing unless you use
    # the Fall-Through variable.
    #
    # If you use the database support to turn this file into a .db or .dbm
    # file, the DEFAULT entries _have_ to be at the end of this file and
    # you can't have multiple entries for one username.
    #
    # Indented (with the tab character) lines following the first
    # line indicate the configuration values to be passed back to
    # the comm server to allow the initiation of a user session.
    # This can include things like the PPP configuration values
    # or the host to log the user onto.
    #
    # You can include another `users' file with `$INCLUDE users.other'
    #
    #
    # For a list of RADIUS attributes, and links to their definitions,
    # see:
    #
    # http://www.freeradius.org/rfc/attributes.html
    #
    #
    # Deny access for a specific user. Note that this entry MUST
    # be before any other 'Auth-Type' attribute which results in the user
    # being authenticated.
    #
    # Note that there is NO 'Fall-Through' attribute, so the user will not
    # be given any additional resources.
    #
     "localhost" Auth-Type := EAP
     "localhost" cleartext-password := "fergisuriel"
    # Reply-Message = "Your account has been disabled."
    #
    # Deny access for a group of users.
    #
    # Note that there is NO 'Fall-Through' attribute, so the user will not
    # be given any additional resources.
    #
    #DEFAULT Group == "disabled", Auth-Type := Reject
    # Reply-Message = "Your account has been disabled."
    #
    #
    # This is a complete entry for "steve". Note that there is no Fall-Through
    # entry so that no DEFAULT entry will be used, and the user will NOT
    # get any attributes in addition to the ones listed here.
    #
    #steve Cleartext-Password := "testing"
    # Service-Type = Framed-User,
    # Framed-Protocol = PPP,
    # Framed-IP-Address = 172.16.3.33,
    # Framed-IP-Netmask = 255.255.255.0,
    # Framed-Routing = Broadcast-Listen,
    # Framed-Filter-Id = "std.ppp",
    # Framed-MTU = 1500,
    # Framed-Compression = Van-Jacobsen-TCP-IP
    #
    # This is an entry for a user with a space in their name.
    # Note the double quotes surrounding the name.
    #
    #"John Doe" Cleartext-Password := "hello"
    # Reply-Message = "Hello, %{User-Name}"
    #
    # Dial user back and telnet to the default host for that port
    #
    #Deg Cleartext-Password := "ge55ged"
    # Service-Type = Callback-Login-User,
    # Login-IP-Host = 0.0.0.0,
    # Callback-Number = "9,5551212",
    # Login-Service = Telnet,
    # Login-TCP-Port = Telnet
    #
    # Another complete entry. After the user "dialbk" has logged in, the
    # connection will be broken and the user will be dialed back after which
    # he will get a connection to the host "timeshare1".
    #
    #dialbk Cleartext-Password := "callme"
    # Service-Type = Callback-Login-User,
    # Login-IP-Host = timeshare1,
    # Login-Service = PortMaster,
    # Callback-Number = "9,1-800-555-1212"
    #
    # user "swilson" will only get a static IP number if he logs in with
    # a framed protocol on a terminal server in Alphen (see the huntgroups file).
    #
    # Note that by setting "Fall-Through", other attributes will be added from
    # the following DEFAULT entries
    #
    #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
    # Framed-IP-Address = 192.168.1.65,
    # Fall-Through = Yes
    #
    # If the user logs in as 'username.shell', then authenticate them
    # using the default method, give them shell access, and stop processing
    # the rest of the file.
    #
    #DEFAULT Suffix == ".shell"
    # Service-Type = Login-User,
    # Login-Service = Telnet,
    # Login-IP-Host = your.shell.machine
    #
    # The rest of this file contains the several DEFAULT entries.
    # DEFAULT entries match with all login names.
    # Note that DEFAULT entries can also Fall-Through (see first entry).
    # A name-value pair from a DEFAULT entry will _NEVER_ override
    # an already existing name-value pair.
    #
    #
    # Set up different IP address pools for the terminal servers.
    # Note that the "+" behind the IP address means that this is the "base"
    # IP address. The Port-Id (S0, S1 etc) will be added to it.
    #
    #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
    # Framed-IP-Address = 192.168.1.32+,
    # Fall-Through = Yes
    #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
    # Framed-IP-Address = 192.168.2.32+,
    # Fall-Through = Yes
    #
    # Sample defaults for all framed connections.
    #
    #DEFAULT Service-Type == Framed-User
    # Framed-IP-Address = 255.255.255.254,
    # Framed-MTU = 576,
    # Service-Type = Framed-User,
    # Fall-Through = Yes
    #
    # Default for PPP: dynamic IP address, PPP mode, VJ-compression.
    # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
    # by the terminal server in which case there may not be a "P" suffix.
    # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
    #
    DEFAULT Framed-Protocol == PPP
     Framed-Protocol = PPP,
     Framed-Compression = Van-Jacobson-TCP-IP
    #
    # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
    #
    DEFAULT Hint == "CSLIP"
     Framed-Protocol = SLIP,
     Framed-Compression = Van-Jacobson-TCP-IP
    #
    # Default for SLIP: dynamic IP address, SLIP mode.
    #
    DEFAULT Hint == "SLIP"
     Framed-Protocol = SLIP
    #
    # Last default: rlogin to our main server.
    #
    #DEFAULT
    # Service-Type = Login-User,
    # Login-Service = Rlogin,
    # Login-IP-Host = shellbox.ispdomain.com
    # #
    # # Last default: shell on the local terminal server.
    # #
    # DEFAULT
    # Service-Type = Administrative-User
    # On no match, the user is denied access.
    

    ok jespere que tu auras pas les maux de tete avec tout ca. merci