Walled Garden for Users Without Realms.

James Wakefield (Sunet Sysadmin) sysadmin at sunet.com.au
Tue Sep 20 00:56:02 CEST 2005


Hi Alexander,

BIND can do it, we use version 8.4.6 on that particular server. Here's 
the relevant parts from named.conf. You don't have to use views if the 
box doesn't serve any other zones, but if so, do as below:

---------------------------------------------------------------

view "old_dial_walled_garden" {

match-clients { xxx.yyy.zzz.64/26; xxx.yyy.zzz.128/25; };
zone "." in {
type master;
file "db.walled_garden_root";
};
};

view "default" {

match-clients { any; };

// all of your normal zones go here

};
---------------------------------------------------------------------

The wildcard zone file, db.walled_garden_root:

-------------------------------------------------------------------------

; BIND db file for the root zone that walled garden users will see

$TTL 60

@ IN SOA server. dnsadmin.sunet.com.au. (
2005072501 ; serial number YYMMDDNN
60 ; Refresh
60 ; Retry
60 ; Expire
60 ; Min TTL
)

; Authoritive Nameservers [NS]
NS walled-garden-server-hostname
IN A aaa.bbb.ccc.ddd

* IN A aaa.bbb.ccc.ddd

--------------------------------------------------------------------------------------

Hope that helped,

James Wakefield
Systems Administrator
+61 03 5227 6888

We have now moved head office to 8-12 Pakington Street,
Geelong West.



Alexander C. Fossa wrote:

>Hi James,
>
>Exactly what I have been trying to do for about 6 months, but keep
>getting distracted by doing something else.
>
>What software do you use for the wildcard DNS? Any example configs?
>
>Regards,
>
>Alexander Fossa
>
>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
>McCain, Al
>Sent: 19 September 2005 14:26
>To: FreeRadius users mailing list
>Subject: RE: Walled Garden for Users Without Realms.
>
> 
>
>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
>James Wakefield (Sunet Sysadmin)
>Sent: Sunday, September 18, 2005 6:27 PM
>To: FreeRadius users mailing list
>Subject: Re: Walled Garden for Users Without Realms.
>
>G'day Al,
>
>We're doing the same thing here changing a dial-up number and migrating
>off of the NASes that serve that number. My approach is:
>
>* Match customers who need to be placed in the walled garden, this is
>easy enough for our situation, as they're in the huntgroup comprised of
>the old NASes. I could also match Called-Station-Id if I wanted.
>
>* Send specific attributes for those users, giving them a short session
>timeout (say 5, 10 minutes) which, if they fail to see or heed our
>message, will motivate them to call helpdesk and get sorted out, and
>also setting their primary DNS server to one which resolves every
>hostname to one of your IP addresses using a wildcard zone or some such.
>
>If this DNS server is already providing other services, you'll want to
>use a view for walled garden users, which you may need to facilitate by
>putting them into a specific subnet. What attribtues you use, exactly,
>will depend on your NAS gear.
>
>* On that IP address that you're resolving * to, is a webserver which
>displays the message you wish the walled garden users to read. If this
>webserver already serves other pages, you'll need to do some URL
>rewriting to send them to the appropriate page eg: using Apache's
>mod_rewrite. This way, any request for a web page will display your
>message.
>
>Personally, I find the easiest approach is to just dust off a box that's
>not being used and put the wildcard DNS and webserver on it - it's only
>got a couple of very simple functions to perform and it's not a critical
>service.
>
>You may also want to consider applying packet filtering to walled garden
>users as they'll still be able to reach the entire Internet by IP
>address, though the session timeouts make that only a moderate concern
>in our situation.
>
>You could also do a similar thing with email by setting up a mailserver
>on the wildcarded IP and bouncing everything with your walled garden
>message. Personally, I think sending your customers an email and then
>putting in the web-based walled garden is enough.
>
>Cheers,
>
>James Wakefield
>Systems Administrator
>+61 03 5227 6888
>
>We have now moved head office to 8-12 Pakington Street, Geelong West.
>
>
>
>McCain, Al wrote:
>
>  
>
>>Hi.
>>
>>I was wondering if there was a way to place users in a Walled Garden if
>>    
>>
>
>  
>
>>they try to Auth without a Realm.
>>We are currently running FreeRADIUS Version 0.9.3. Our users are stored
>>    
>>
>
>  
>
>>in MySQL.
>>
>>Company:
>>I work for an ISP. We seem to aquire new properties every few months. 
>>
>>Current structure : 
>>
>>We have multiple instances of RADIUS running: one for each domain. (I 
>>have NO clue who set it up this way).
>>
>>I would like to consolidate these intances into one, and force our 
>>users to use realms.
>>
>>Problem:
>>
>>We can't just force the customers to use realms. We would need to 
>>notify them of the changes. (This can prove tricky).
>>
>>What I would like to see:
>>
>>Aside from contacting the customer about changes, I would like to send 
>>the users to a web page after they log in without a realm. The page 
>>would tell them that they need to log in with realms.  I believe this 
>>is called hURL'ing, however I cannot seem to find any documentation.
>>
>>Has anyone ever done this, or know if it can be done ? 
>>
>>Any help is greatly appreciated. 
>>
>>Thanks,
>>Al
>>
>>-
>>List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
>> 
>>
>>    
>>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>Very good idea James.  I will test that out. 
>
>-Al 
>
>
>
>- 
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>



More information about the Freeradius-Users mailing list