Walled Garden for Users Without Realms.

McCain, Al cmccain at valortelecom.com
Mon Sep 19 15:26:23 CEST 2005


 

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
James Wakefield (Sunet Sysadmin)
Sent: Sunday, September 18, 2005 6:27 PM
To: FreeRadius users mailing list
Subject: Re: Walled Garden for Users Without Realms.

G'day Al,

We're doing the same thing here changing a dial-up number and migrating
off of the NASes that serve that number. My approach is:

* Match customers who need to be placed in the walled garden, this is
easy enough for our situation, as they're in the huntgroup comprised of
the old NASes. I could also match Called-Station-Id if I wanted.

* Send specific attributes for those users, giving them a short session
timeout (say 5, 10 minutes) which, if they fail to see or heed our
message, will motivate them to call helpdesk and get sorted out, and
also setting their primary DNS server to one which resolves every
hostname to one of your IP addresses using a wildcard zone or some such.

If this DNS server is already providing other services, you'll want to
use a view for walled garden users, which you may need to facilitate by
putting them into a specific subnet. What attribtues you use, exactly,
will depend on your NAS gear.

* On that IP address that you're resolving * to, is a webserver which
displays the message you wish the walled garden users to read. If this
webserver already serves other pages, you'll need to do some URL
rewriting to send them to the appropriate page eg: using Apache's
mod_rewrite. This way, any request for a web page will display your
message.

Personally, I find the easiest approach is to just dust off a box that's
not being used and put the wildcard DNS and webserver on it - it's only
got a couple of very simple functions to perform and it's not a critical
service.

You may also want to consider applying packet filtering to walled garden
users as they'll still be able to reach the entire Internet by IP
address, though the session timeouts make that only a moderate concern
in our situation.

You could also do a similar thing with email by setting up a mailserver
on the wildcarded IP and bouncing everything with your walled garden
message. Personally, I think sending your customers an email and then
putting in the web-based walled garden is enough.

Cheers,

James Wakefield
Systems Administrator
+61 03 5227 6888

We have now moved head office to 8-12 Pakington Street, Geelong West.



McCain, Al wrote:

>Hi.
>
>I was wondering if there was a way to place users in a Walled Garden if

>they try to Auth without a Realm.
>We are currently running FreeRADIUS Version 0.9.3. Our users are stored

>in MySQL.
>
>Company:
>I work for an ISP. We seem to aquire new properties every few months. 
>
>Current structure : 
>
>We have multiple instances of RADIUS running: one for each domain. (I 
>have NO clue who set it up this way).
>
>I would like to consolidate these intances into one, and force our 
>users to use realms.
>
>Problem:
>
>We can't just force the customers to use realms. We would need to 
>notify them of the changes. (This can prove tricky).
>
>What I would like to see:
>
>Aside from contacting the customer about changes, I would like to send 
>the users to a web page after they log in without a realm. The page 
>would tell them that they need to log in with realms.  I believe this 
>is called hURL'ing, however I cannot seem to find any documentation.
>
>Has anyone ever done this, or know if it can be done ? 
>
>Any help is greatly appreciated. 
>
>Thanks,
>Al
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html
>  
>
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


Very good idea James.  I will test that out. 

-Al 






More information about the Freeradius-Users mailing list