[TriLUG] need Radius suggestions/help
jonc at nc.rr.com
Tue Dec 7 22:39:04 EST 2004
I used FreeRadius a few years back to authenticate dialup users on a Max
Ascend unit. I had it working with PAM so that it authenticated against
my main NFS/NIS server. This made dialup logins the same as network
It was a PITA to setup, but once done it worked for years without
I had to download and read (and read, and read, and read) all the
Livingston Radius docs - which FreeRadius was based on - as the
FreeRadius docs were non-existent at the time.
Hopefully you will find things much easier now.
On Tue, 2004-12-07 at 09:28, Aaron S. Joyner wrote:
> gregbrown at mindspring.com wrote:
> >As a disclaimer I have never set up radius before. Ever. Okay, here where I find myself. <snip problem description>
> First, there are a few things to understand about Radius. Radius is
> nothing more than an authentication protocol. "Radius", as an ephemeral
> concept, can not do any of the things you're asking of it. On the other
> hand, Radius can be an enabling technology that allows your device (in
> this case monowall) to defer to a more intelligent back-end for
> determining who is, and who is not, authenticated.
> The most common GPL'd radius server in use is FreeRadius, which can be
> found here: http://www.freeradius.org/ FreeRadius is capable of using
> lots of back-end authentication methods, including PAM, SQL, LDAP, and
> others. It's probably easiest to configure FreeRadius to authenticate
> against a back-end you're comfortable manipulating, and then simply
> adjust the back end on a monthly basis (perhaps via a script), to
> accomplish your goals.
> Consider this scenario: Monowall authenticates via Radius, against your
> FreeRadius server. Your FreeRadius server is configured to authenticate
> against a MySQL table. That table contains two columns and only one
> row, which define a valid username and password. Every month, your end
> user comes to a password-protected web page which presents them with a
> box to enter a new password. This page updates the 2nd column in the
> database, and then everyone has to use the new password that month.
> That's perhaps the easiest, path of least resistance, to solve your
> problem. Other options include auth'ing against PAM, and then any valid
> user account would succeed. You could restrict which accounts are valid
> for authentication, either in FreeRadius or possibly in PAM. Then you
> would only need to change one user's password on a monthly basis. You
> could also take either model and scale them up from the single-user idea
> you originally had in mind, and allow multiple users, and create /
> remove / edit them through any mechanism that modifies MySQL (or local
> user accounts) that you like (i.e. a PERL / PHP web front-end, which
> could make it easy to print out EULAs, etc).
> Good luck in the world of Radius,
> Aaron S. Joyner
More information about the TriLUG