[TriLUG] need Radius suggestions/help

Jon Carnes jonc at nc.rr.com
Tue Dec 7 22:39:04 EST 2004


I used FreeRadius a few years back to authenticate dialup users on a Max
Ascend unit. I had it working with PAM so that it authenticated against
my main NFS/NIS server. This made dialup logins the same as network
logins.

It was a PITA to setup, but once done it worked for years without
maintenance.

I had to download and read (and read, and read, and read) all the
Livingston Radius docs - which FreeRadius was based on - as the
FreeRadius docs were non-existent at the time.

Hopefully you will find things much easier now.

Jon Carnes


On Tue, 2004-12-07 at 09:28, Aaron S. Joyner wrote:
> gregbrown at mindspring.com wrote:
> 
> >As a disclaimer I have never set up radius before.  Ever.   Okay, here where I find myself. <snip problem description>
> >
> First, there are a few things to understand about Radius.  Radius is 
> nothing more than an authentication protocol.  "Radius", as an ephemeral 
> concept, can not do any of the things you're asking of it.  On the other 
> hand, Radius can be an enabling technology that allows your device (in 
> this case monowall) to defer to a more intelligent back-end for 
> determining who is, and who is not, authenticated.
> 
> The most common GPL'd radius server in use is FreeRadius, which can be 
> found here: http://www.freeradius.org/  FreeRadius is capable of using 
> lots of back-end authentication methods, including PAM, SQL, LDAP, and 
> others.  It's probably easiest to configure FreeRadius to authenticate 
> against a back-end you're comfortable manipulating, and then simply 
> adjust the back end on a monthly basis (perhaps via a script), to 
> accomplish your goals.
> 
> Consider this scenario: Monowall authenticates via Radius, against your 
> FreeRadius server.  Your FreeRadius server is configured to authenticate 
> against a MySQL table.  That table contains two columns and only one 
> row, which define a valid username and password.  Every month, your end 
> user comes to a password-protected web page which presents them with a 
> box to enter a new password.  This page updates the 2nd column in the 
> database, and then everyone has to use the new password that month.  
> That's perhaps the easiest, path of least resistance, to solve your 
> problem.  Other options include auth'ing against PAM, and then any valid 
> user account would succeed.  You could restrict which accounts are valid 
> for authentication, either in FreeRadius or possibly in PAM.  Then you 
> would only need to change one user's password on a monthly basis.  You 
> could also take either model and scale them up from the single-user idea 
> you originally had in mind, and allow multiple users, and create / 
> remove / edit them through any mechanism that modifies MySQL (or local 
> user accounts) that you like (i.e. a PERL / PHP web front-end, which 
> could make it easy to print out EULAs, etc).
> 
> Good luck in the world of Radius,
> Aaron S. Joyner




More information about the TriLUG mailing list