It is a tricky concept, but it can be done with a lot of effort.
Probably not for all applications ( since it doesn’t make any sense for some of
them ). Maybe you should consider making a real network DMZ. The concept of DMZ
allows you to define and allow/disallow access to services from the Internet
and those from the local LAN. You DO NOT make things or services available “to
the DMZ” !
Start simple !
Regards,
E:S
From:
freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org
[mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org] On
Behalf Of Jesse Stone
Sent: Samstag, 06. September 2008 01:50
To: FreeRadius users mailing list
Subject: Re: Freeradius Usage
Thank you for the quick response. I may not have
mentioned this previously but I am by no means a linux/networking expert.
The company I work for is pro-MS. Recently, I got the urge to get back
into Linux and here I am.
My thinking (in regards to network structure) was that I
wanted applications intended to the public as far away from my local lan as
posible. The local lan requires the app server though- OpenVPN,
Samba (as a PDC), misc other things so I wanted it available to the local lan
but not to the DMZ.
My main questions though are with Freeradius. My setup
is for "hobby" purposes only and already I would have difficulty
telling you exactly which users have access to what.
I want to using a technology like Freeradius or LDAP create
1 central place on the app server that EVERYTHING would authenication to.
In a perfect world, the end result would be that I could type something like
this:
select %user% from permissionsDB
and be returned something like this:
SSH: NO, OpenVPN: YES, Samba: %Specific group% (which
indicates shares available), Shell Access: No, ect
Basically, I want a setup where I can easilly scale upwards
without having to "teach" each new application how to use a DB.
Freeradious also can authenicate my wireless users when would also be great as
for all I know, half my bandwidth is being used by my neighbors.
-Jesse
On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic@kolp.at> wrote:
Hi,
excuse me for
asking, but why dont you set up the AppServer in your DMZ ? you could have (
what I call ) the T – structure
>< ---
INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN
I
I DMZ
I
SERVER2 + APPServer
It depends how your
users use the gateway and how are they suppose to connect to the Internet.
Regards,
E:S
From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org
[mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org] On
Behalf Of Jesse Stone
Sent: Samstag, 06. September 2008 01:25
To: FreeRadius users mailing list
Subject: Freeradius Usage
Hi All,
I am new to this mailing list and am about to ask a probably very silly
question. Please feel free to direct me to resources that'll help me
answer them.
I want to setup the following:
Gateway [server1]
- nic1 = Internet
- nic2 = DMZ [server2]
- nic3 = Router w/ Wireless ->
App Server [Server3] (FREERADIUS SERVER HERE) -> Local Lan
I read a lot about both Freeradius and LDAP and cannot determine if either
can accomplish my goals.
What I want is:
1) 1 central place where all user authenication takes
place: SSH, Shell Access, Samba, OpenVPN, Mumble, Any other app
that requires user administration.
2) This information stored in a SQL type database so that I can build
my own custom apps to report on user usage, performance ect.
3) My router has wireless and I have enabled the security
features. I would still like authenication to take place before a
wireless user is allowed on the network.
For example,
Currently, I have this: Router w/ Wireless -> App Server [Server3] +
Local Lan
I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan
Is Freeradius the best approach for my needs? Do I need anything
else?
-Jesse
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html