[TriLUG] need Radius suggestions/help

skippy1 at hickorytech.net skippy1 at hickorytech.net
Tue Dec 7 09:55:58 EST 2004


> gregbrown at mindspring.com wrote:
>
>>As a disclaimer I have never set up radius before.  Ever.   Okay, here
>> where I find myself. <snip problem description>
>>
<snip>
> Consider this scenario: Monowall authenticates via Radius, against your
> FreeRadius server.  Your FreeRadius server is configured to authenticate
>  against a MySQL table.  That table contains two columns and only one
> row, which define a valid username and password.  Every month, your end
> user comes to a password-protected web page which presents them with a
> box to enter a new password.  This page updates the 2nd column in the
> database, and then everyone has to use the new password that month.

I think I remember reading about the ability to use wildcard usernames in
the radius stuff I used way back when.  Trouble is, I don't remember which
radius implementation it was....

If I'm remembering correctly, it looked like
#username    password
*            thepasswd

> That's perhaps the easiest, path of least resistance, to solve your
> problem.  Other options include auth'ing against PAM, and then any valid
>  user account would succeed.  You could restrict which accounts are
> valid  for authentication, either in FreeRadius or possibly in PAM.
> Then you  would only need to change one user's password on a monthly
> basis.  You  could also take either model and scale them up from the
> single-user idea  you originally had in mind, and allow multiple users,
> and create /  remove / edit them through any mechanism that modifies
> MySQL (or local  user accounts) that you like (i.e. a PERL / PHP web
> front-end, which  could make it easy to print out EULAs, etc).

To my mind, since you want basic control of who can authenticate (guests
can and moochers can't) it might very well be worth the extra effort to
give each user a separate username.  That way they can have their access
turned off more easily if they mis-behave.

Skippy
--
skippy at skippylair.net





More information about the TriLUG mailing list