Radius Self Service

Matthew Newton mcn4 at leicester.ac.uk
Fri Feb 17 00:22:31 CET 2012 

Hi,

On Thu, Feb 16, 2012 at 10:21:37AM +0000, Peter Moreton wrote:
> I have a working RADIUS server, "RADIUS01" running
> Centos/Freeradius. Freeradius is configured to store username
> and PIN-style passwords in MySQL. To go live with our RADIUS
> implementation, I have been tasked with making the selection of
> PIN's a self-service process. I'm considering an email-based
> approach where user at foobar.org.uk can email PIN at foobar.org.uk in
> order to achieve PIN maintenance. (I understand the risk of
> email header spoofing). 

I really wouldn't use e-mail for this. Once upon a time, e-mail
responders were sort-of normal. These days people will just think
the system is wierd. Add to that trying to parse the HTML and other
**** that people send by e-mail these days.

Web interface is most likely the way to go.

> Since I don't know Linux terribly well, I'm asking the group if
> my proposal is a sensible approach? Am I re-inventing any
> wheels? Should I consider an alternative method?

I can't guess much about your setup from your e-mail, but I'd
probably think through things in something like this order, if
they are possible, in decreasing order of security (1 & 2 may not
be possible) -


1. Use your central authentication system for your RADIUS auth,
and forget about the pin numbers. Then another system is managing
the passwords for you.

2. Use your central auth system to authenticate users to a web
page, where they can set a pin number in your mysql db. Then
you know the right person set the right pin.

3. Allow anyone to request a new pin from a web page by entering
in their e-mail address and pin (and existing pin, if already
set). The system e-mails them a coded URL, and the new pin becomes
active upon visiting the URL in the e-mail (uses e-mail to verify
the right person requested the pin as hopefully only they have
access to their mailbox; better than looking at the probably
spoofed sender of an e-mail received by you).

 (3a - or replying to the mail, rather than clicking the link, but
 then you've got to try and process e-mails again...)

4. Web page allows an e-mail address and pin to be entered,
verified by existing pin if already set, and sets the pin
immediately. Possibly an e-mail sent after the pin has been set,
so the user is notified (esp. if someone else changes the pin
somehow.)

5. Web page allows anyone to set a pin given an e-mail address and
a new pin. About as secure as allowing pins to be set by e-mailing
in...


If you've got a central auth of some sort, (1) is probably the
easiest as it skips the web bit, but there may be reasons why you
can't do that.

2-5 (or other similar options) are probably, in their utter
simplest form, possible in less than 100 lines of perl or your
other favourite scripting language. I'm not really sure where to
suggest to begin if you're new to Linux, though - the only thing
you might consider, if you're more comfortable in Windows, is
writing a web app in something on a Windows system that updates
the mysql database.  There's no need to have that running on the
same box...

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list