Walled Garden for Users Without Realms.

James Wakefield (Sunet Sysadmin) sysadmin at sunet.com.au
Mon Sep 19 01:26:55 CEST 2005 

G'day Al,

We're doing the same thing here changing a dial-up number and migrating 
off of the NASes that serve that number. My approach is:

* Match customers who need to be placed in the walled garden, this is 
easy enough for our situation, as they're in the huntgroup comprised of 
the old NASes. I could also match Called-Station-Id if I wanted.

* Send specific attributes for those users, giving them a short session 
timeout (say 5, 10 minutes) which, if they fail to see or heed our 
message, will motivate them to call helpdesk and get sorted out, and 
also setting their primary DNS server to one which resolves every 
hostname to one of your IP addresses using a wildcard zone or some such. 
If this DNS server is already providing other services, you'll want to 
use a view for walled garden users, which you may need to facilitate by 
putting them into a specific subnet. What attribtues you use, exactly, 
will depend on your NAS gear.

* On that IP address that you're resolving * to, is a webserver which 
displays the message you wish the walled garden users to read. If this 
webserver already serves other pages, you'll need to do some URL 
rewriting to send them to the appropriate page eg: using Apache's 
mod_rewrite. This way, any request for a web page will display your message.

Personally, I find the easiest approach is to just dust off a box that's 
not being used and put the wildcard DNS and webserver on it - it's only 
got a couple of very simple functions to perform and it's not a critical 
service.

You may also want to consider applying packet filtering to walled garden 
users as they'll still be able to reach the entire Internet by IP 
address, though the session timeouts make that only a moderate concern 
in our situation.

You could also do a similar thing with email by setting up a mailserver 
on the wildcarded IP and bouncing everything with your walled garden 
message. Personally, I think sending your customers an email and then 
putting in the web-based walled garden is enough.

Cheers,

James Wakefield
Systems Administrator
+61 03 5227 6888

We have now moved head office to 8-12 Pakington Street,
Geelong West.



McCain, Al wrote:

>Hi.
>
>I was wondering if there was a way to place users in a Walled Garden if
>they try to Auth without a Realm.
>We are currently running FreeRADIUS Version 0.9.3. Our users are stored
>in MySQL.  
>
>Company:
>I work for an ISP. We seem to aquire new properties every few months. 
>
>Current structure : 
>
>We have multiple instances of RADIUS running: one for each domain. (I
>have NO clue who set it up this way).
>
>I would like to consolidate these intances into one, and force our users
>to use realms. 
>
>Problem:
>
>We can't just force the customers to use realms. We would need to notify
>them of the changes. (This can prove tricky).
>
>What I would like to see:
>
>Aside from contacting the customer about changes, I would like to send
>the users to a web page after they log in without a realm. The page
>would tell them that they need to log in with realms.  I believe this is
>called hURL'ing, however I cannot seem to find any documentation. 
>
>Has anyone ever done this, or know if it can be done ? 
>
>Any help is greatly appreciated. 
>
>Thanks,
>Al
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>

More information about the Freeradius-Users mailing list