It is a tricky concept, but it can be done with a lot of effort. Probably not for all applications ( since it doesn't make any sense for some of them ). Maybe you should consider making a real network DMZ. The concept of DMZ allows you to define and allow/disallow access to services from the Internet and those from the local LAN. You DO NOT make things or services available "to the DMZ" !
Start simple !
Regards,
E:S
From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org] On Behalf Of Jesse Stone
Sent: Samstag, 06. September 2008 01:50Subject: Re: Freeradius Usage
To: FreeRadius users mailing list
Thank you for the quick response. I may not have mentioned this previously but I am by no means a linux/networking expert. The company I work for is pro-MS. Recently, I got the urge to get back into Linux and here I am.
My thinking (in regards to network structure) was that I wanted applications intended to the public as far away from my local lan as posible. The local lan requires the app server though- OpenVPN, Samba (as a PDC), misc other things so I wanted it available to the local lan but not to the DMZ.
My main questions though are with Freeradius. My setup is for "hobby" purposes only and already I would have difficulty telling you exactly which users have access to what.
I want to using a technology like Freeradius or LDAP create 1 central place on the app server that EVERYTHING would authenication to. In a perfect world, the end result would be that I could type something like this:
select %user% from permissionsDB
and be returned something like this:
SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares available), Shell Access: No, ect
Basically, I want a setup where I can easilly scale upwards without having to "teach" each new application how to use a DB. Freeradious also can authenicate my wireless users when would also be great as for all I know, half my bandwidth is being used by my neighbors.
-Jesse
On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic@kolp.at> wrote:
Hi,
excuse me for asking, but why dont you set up the AppServer in your DMZ ? you could have ( what I call ) the T – structure
>< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN
I
I DMZ
I
SERVER2 + APPServer
It depends how your users use the gateway and how are they suppose to connect to the Internet.
Regards,
E:S
From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org] On Behalf Of Jesse Stone
Sent: Samstag, 06. September 2008 01:25
To: FreeRadius users mailing list
Subject: Freeradius Usage
Hi All,
I am new to this mailing list and am about to ask a probably very silly question. Please feel free to direct me to resources that'll help me answer them.
I want to setup the following:
Gateway [server1]
- nic1 = Internet
- nic2 = DMZ [server2]
- nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS SERVER HERE) -> Local Lan
I read a lot about both Freeradius and LDAP and cannot determine if either can accomplish my goals.
What I want is:
1) 1 central place where all user authenication takes place: SSH, Shell Access, Samba, OpenVPN, Mumble, Any other app that requires user administration.
2) This information stored in a SQL type database so that I can build my own custom apps to report on user usage, performance ect.
3) My router has wireless and I have enabled the security features. I would still like authenication to take place before a wireless user is allowed on the network.
For example,
Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local Lan
I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan
Is Freeradius the best approach for my needs? Do I need anything else?
-Jesse
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html