I am currently envolved in a wireless project. How ever we currently need a radius server with the ability for users to register them selfs, also it would be ideal if this solution offerd email authentication. Is this possible at all?
Michael Fisher <mike@chorleyservices.com> wrote:
I am currently envolved in a wireless project. How ever we currently need a radius server with the ability for users to register them selfs, also it would be ideal if this solution offerd email authentication. Is this possible at all?
They can't send email until they're authenticated. So they'll have to send email from somewhere else on the net. You can then put that information into a database, at which time they can login through RADIUS. Alan DeKok.
So how do i go about creating the self registration system and what im thinking is offering walled garden access for email Alan DeKok wrote:
Michael Fisher <mike@chorleyservices.com> wrote:
I am currently envolved in a wireless project. How ever we currently need a radius server with the ability for users to register them selfs, also it would be ideal if this solution offerd email authentication. Is this possible at all?
They can't send email until they're authenticated. So they'll have to send email from somewhere else on the net. You can then put that information into a database, at which time they can login through RADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Michael, On Sat, Jul 09, 2005 at 08:40:29PM +0100, Michael Fisher wrote:
So how do i go about creating the self registration system and what im thinking is offering walled garden access for email
Take a look into NetReg for doing what you want: http://www.netreg.org
Alan DeKok wrote:
Michael Fisher <mike@chorleyservices.com> wrote:
I am currently envolved in a wireless project. How ever we currently need a radius server with the ability for users to register them selfs, also it would be ideal if this solution offerd email authentication. Is this possible at all?
They can't send email until they're authenticated. So they'll have to send email from somewhere else on the net. You can then put that information into a database, at which time they can login through RADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--johnk
On Sat, 9 Jul 2005, Michael Fisher wrote:
I am currently envolved in a wireless project. How ever we currently need a radius server with the ability for users to register them selfs, also it would be ideal if this solution offerd email authentication. Is this possible at all?
How about simply firewalling unauthenticated connections and routing all access requests to a secured website running a registration script. This may not scale to a large deployment without a fair bit of work but for a small to medium sized network it should be fairly easy. Jason -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ 2Mb ADSL Broadband from just £14.98 / month
On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote:
How about simply firewalling unauthenticated connections and routing all access requests to a secured website running a registration script.
This may not scale to a large deployment without a fair bit of work but for a small to medium sized network it should be fairly easy.
Great idea, Jason! That is exactly what NetReg does: http://www.netreg.org
Jason -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ 2Mb ADSL Broadband from just ?14.98 / month
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--johnk
Unfortunatly this solution must be able to scale up. We have already assesed other technologies but they are not to our liking. Since there will be many APs in a certain area so they must be abble to grab account info from a central server. jck-freeradius@southwestern.edu wrote:
On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote:
How about simply firewalling unauthenticated connections and routing all access requests to a secured website running a registration script.
This may not scale to a large deployment without a fair bit of work but for a small to medium sized network it should be fairly easy.
Great idea, Jason!
That is exactly what NetReg does: http://www.netreg.org
Jason -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ 2Mb ADSL Broadband from just ?14.98 / month
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi. Cant you just have a subscribe.somesite.com which points to a unofficial IP and there let your users subscribe? Use local DNS servers for hostname mapping. The subscribe site would be just some PHP scripts adding users to a database. Then let radius talk to it to authenticate your users. This way you can have multiple proxying radius servers and redundant database servers, proxy http etc. Cheers, Marcin Jessa. On Mon, 11 Jul 2005 16:42:15 +0100 Michael Fisher <mike@chorleyservices.com> wrote:
Unfortunatly this solution must be able to scale up. We have already assesed other technologies but they are not to our liking. Since there will be many APs in a certain area so they must be abble to grab account info from a central server. jck-freeradius@southwestern.edu wrote:
On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote:
How about simply firewalling unauthenticated connections and routing all access requests to a secured website running a registration script.
This may not scale to a large deployment without a fair bit of work but for a small to medium sized network it should be fairly easy.
Great idea, Jason!
That is exactly what NetReg does: http://www.netreg.org
Jason -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ 2Mb ADSL Broadband from just ?14.98 / month
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check out the Cisco SSG/SESM solution. You route all the traffic through one (or many) SSG's. The SSG will determine whether or not the session is authenticated based on IP address. If not, it will redirect the user to the SESM page, where they will login. The SESM will send the username/password to RADIUS and then communicate back to the SSG whether or not it was successful and certain reply attributes that define the profile they have access to. Then the user will be redirected back to the page they originally created. We use it here for our Wifi APs around the city. The downfall of it, is that the sessions are based on IP, so NAT will break it. If you have your APs setup to NAT/PAT the connections behind it, then only one user will have to authenticate and all will be authenticated. You get around that by making the APs a simple bridge and assign IPs to the PCs connected to it via DHCP. If you decide to use the SSG/SESM, I can send you informatoin on how to configure Freeradius for it as I am doing this now. The other nice thing about it, is that it will support multiple profiles that can be stored in RADIUS. So, you could have the user login to different services, or different ISPs, etc.. Based on something, such as a realm, the RADIUS server will return which profile the user now has access to. The SSG will then allow access to the services defined in that profile. You can also define the ACLs, next hop, etc.. in the RADIUS server for that profile and the SSGs can simply query RADIUS for that information. That helps so you don't have to configure multiple profiles on each SSG, its all in RADIUS. You can also do walled gardens within it, so unauthenticated users can still have access to local content (such as company info, portal pages, dns, other local websites, etc...). -Dusty Doris On Mon, 11 Jul 2005, Michael Fisher wrote:
Unfortunatly this solution must be able to scale up. We have already assesed other technologies but they are not to our liking. Since there will be many APs in a certain area so they must be abble to grab account info from a central server. jck-freeradius@southwestern.edu wrote:
On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote:
How about simply firewalling unauthenticated connections and routing all access requests to a secured website running a registration script.
This may not scale to a large deployment without a fair bit of work but for a small to medium sized network it should be fairly easy.
participants (6)
-
Alan DeKok -
Dusty Doris -
Jason Clifford -
jck-freeradius@southwestern.edu -
Marcin Jessa -
Michael Fisher