Would Freeradius be the correct technology for this? For example, Currently, for me to allow someone access to my OpenVPN server and Samba I have to first add them as a standard user with the useradd script. Then I have use smbpasswd -e to enable their account for Samba. If I wanted that user to also be able to SSH into another server I would have to repeat this process. After about 3 users I forgot who has access to what. This is the process I want to simply. I want 1 place/script that prompts for every app/server that I want to restrict access to: Samba, SSH, Shell access, X, ect. I want this infromation stored in a standard SQL type database though so I can easilly manipulate users once they've been created on the fly. Perferrably within 1 table like a provided in my last email for an example simple user management style. What do large companies that have many users/linux machines use to handle user administration? -Jesse On Fri, Sep 5, 2008 at 5:30 PM, Edvin Seferovic <edvin.seferovic@kolp.at>wrote:
It is a tricky concept, but it can be done with a lot of effort. Probably not for all applications ( since it doesn't make any sense for some of them ). Maybe you should consider making a real network DMZ. The concept of DMZ allows you to define and allow/disallow access to services from the Internet and those from the local LAN. You DO NOT make things or services available "to the DMZ" !
Start simple !
Regards,
E:S
*From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> =kolp.at@lists.freeradius.org] *On Behalf Of *Jesse Stone *Sent:* Samstag, 06. September 2008 01:50 *To:* FreeRadius users mailing list *Subject:* Re: Freeradius Usage
Thank you for the quick response. I may not have mentioned this previously but I am by no means a linux/networking expert. The company I work for is pro-MS. Recently, I got the urge to get back into Linux and here I am.
My thinking (in regards to network structure) was that I wanted applications intended to the public as far away from my local lan as posible. The local lan requires the app server though- OpenVPN, Samba (as a PDC), misc other things so I wanted it available to the local lan but not to the DMZ.
My main questions though are with Freeradius. My setup is for "hobby" purposes only and already I would have difficulty telling you exactly which users have access to what.
I want to using a technology like Freeradius or LDAP create 1 central place on the app server that EVERYTHING would authenication to. In a perfect world, the end result would be that I could type something like this:
select %user% from permissionsDB
and be returned something like this:
SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares available), Shell Access: No, ect
Basically, I want a setup where I can easilly scale upwards without having to "teach" each new application how to use a DB. Freeradious also can authenicate my wireless users when would also be great as for all I know, half my bandwidth is being used by my neighbors.
-Jesse
On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic@kolp.at> wrote:
Hi,
excuse me for asking, but why dont you set up the AppServer in your DMZ ? you could have ( what I call ) the T – structure
< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN
I
I DMZ
I
SERVER2 + APPServer
It depends how your users use the gateway and how are they suppose to connect to the Internet.
Regards,
E:S
*From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> =kolp.at@lists.freeradius.org] *On Behalf Of *Jesse Stone *Sent:* Samstag, 06. September 2008 01:25 *To:* FreeRadius users mailing list *Subject:* Freeradius Usage
Hi All,
I am new to this mailing list and am about to ask a probably very silly question. Please feel free to direct me to resources that'll help me answer them.
I want to setup the following:
Gateway [server1]
- nic1 = Internet
- nic2 = DMZ [server2]
- nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS SERVER HERE) -> Local Lan
I read a lot about both Freeradius and LDAP and cannot determine if either can accomplish my goals.
What I want is:
1) 1 central place where all user authenication takes place: SSH, Shell Access, Samba, OpenVPN, Mumble, Any other app that requires user administration.
2) This information stored in a SQL type database so that I can build my own custom apps to report on user usage, performance ect.
3) My router has wireless and I have enabled the security features. I would still like authenication to take place before a wireless user is allowed on the network.
For example,
Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local Lan
I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan
Is Freeradius the best approach for my needs? Do I need anything else?
-Jesse
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry for the spam, but.. I forgot a part in my current "user add" process: I then have to have the user login via SSH (after having them download Putty) so that they can change their password. Then, I have to disallow them access to SSH (because they shouldn't be logging directly into the servers). On Fri, Sep 5, 2008 at 10:41 PM, Jesse Stone <jstone1999@gmail.com> wrote:
Would Freeradius be the correct technology for this?
For example,
Currently, for me to allow someone access to my OpenVPN server and Samba I have to first add them as a standard user with the useradd script. Then I have use smbpasswd -e to enable their account for Samba. If I wanted that user to also be able to SSH into another server I would have to repeat this process. After about 3 users I forgot who has access to what. This is the process I want to simply. I want 1 place/script that prompts for every app/server that I want to restrict access to: Samba, SSH, Shell access, X, ect. I want this infromation stored in a standard SQL type database though so I can easilly manipulate users once they've been created on the fly. Perferrably within 1 table like a provided in my last email for an example simple user management style.
What do large companies that have many users/linux machines use to handle user administration?
-Jesse
On Fri, Sep 5, 2008 at 5:30 PM, Edvin Seferovic <edvin.seferovic@kolp.at>wrote:
It is a tricky concept, but it can be done with a lot of effort. Probably not for all applications ( since it doesn't make any sense for some of them ). Maybe you should consider making a real network DMZ. The concept of DMZ allows you to define and allow/disallow access to services from the Internet and those from the local LAN. You DO NOT make things or services available "to the DMZ" !
Start simple !
Regards,
E:S
*From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> =kolp.at@lists.freeradius.org] *On Behalf Of *Jesse Stone *Sent:* Samstag, 06. September 2008 01:50 *To:* FreeRadius users mailing list *Subject:* Re: Freeradius Usage
Thank you for the quick response. I may not have mentioned this previously but I am by no means a linux/networking expert. The company I work for is pro-MS. Recently, I got the urge to get back into Linux and here I am.
My thinking (in regards to network structure) was that I wanted applications intended to the public as far away from my local lan as posible. The local lan requires the app server though- OpenVPN, Samba (as a PDC), misc other things so I wanted it available to the local lan but not to the DMZ.
My main questions though are with Freeradius. My setup is for "hobby" purposes only and already I would have difficulty telling you exactly which users have access to what.
I want to using a technology like Freeradius or LDAP create 1 central place on the app server that EVERYTHING would authenication to. In a perfect world, the end result would be that I could type something like this:
select %user% from permissionsDB
and be returned something like this:
SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares available), Shell Access: No, ect
Basically, I want a setup where I can easilly scale upwards without having to "teach" each new application how to use a DB. Freeradious also can authenicate my wireless users when would also be great as for all I know, half my bandwidth is being used by my neighbors.
-Jesse
On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic@kolp.at> wrote:
Hi,
excuse me for asking, but why dont you set up the AppServer in your DMZ ? you could have ( what I call ) the T – structure
< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN
I
I DMZ
I
SERVER2 + APPServer
It depends how your users use the gateway and how are they suppose to connect to the Internet.
Regards,
E:S
*From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> =kolp.at@lists.freeradius.org] *On Behalf Of *Jesse Stone *Sent:* Samstag, 06. September 2008 01:25 *To:* FreeRadius users mailing list *Subject:* Freeradius Usage
Hi All,
I am new to this mailing list and am about to ask a probably very silly question. Please feel free to direct me to resources that'll help me answer them.
I want to setup the following:
Gateway [server1]
- nic1 = Internet
- nic2 = DMZ [server2]
- nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS SERVER HERE) -> Local Lan
I read a lot about both Freeradius and LDAP and cannot determine if either can accomplish my goals.
What I want is:
1) 1 central place where all user authenication takes place: SSH, Shell Access, Samba, OpenVPN, Mumble, Any other app that requires user administration.
2) This information stored in a SQL type database so that I can build my own custom apps to report on user usage, performance ect.
3) My router has wireless and I have enabled the security features. I would still like authenication to take place before a wireless user is allowed on the network.
For example,
Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local Lan
I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan
Is Freeradius the best approach for my needs? Do I need anything else?
-Jesse
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jesse Stone wrote:
I then have to have the user login via SSH (after having them download Putty) so that they can change their password. Then, I have to disallow them access to SSH (because they shouldn't be logging directly into the servers).
You will need to write scripts to do that. It has nothing to do with RADIUS. Alan DeKok.
Jesse Stone wrote:
What do large companies that have many users/linux machines use to handle user administration?
LDAP. And they generally don't have complicated permissions policies. They're just too hard to maintain. RADIUS is mostly for dial-up or WiFi access. Alan DeKok.
Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this? Does my network setup need to be like this for it to work: Internet -> Router W/ Wireless -> Nic1 of server running freeradius Nic2 Switch that connects rest of network -Jesse On Sat, Sep 6, 2008 at 3:14 AM, Alan DeKok <aland@deployingradius.com>wrote:
Jesse Stone wrote:
What do large companies that have many users/linux machines use to handle user administration?
LDAP.
And they generally don't have complicated permissions policies. They're just too hard to maintain.
RADIUS is mostly for dial-up or WiFi access.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Jess, Radius has nothing to do with controlling traffic, wireless --> Network Radius ----> Network LDAP(AD)---> Network is more like it ... accesspoint just checks if it can allow the user/mac/workstation with the radius server. now if you need some sort of bandwidth controller(RAS) or your accesspoint can not use radius directly, you can use chillispot which has captive portal (Like wifi hotspots). Wireless--->Private wireless Network--->Chillispot---->Rest of the network you can buy wifi accesspoints with chillispot(linksys wrt accesspoints). to give you a scenario on how we use radius in our company. In out company we employees access the internet through vpn(PPTP on cisco router) which authenticates with freeradius which in turn, pulls user's profile and authenticates them against LDAP(Active Directory) ... Cheers, PDB -----Original Message----- From: freeradius-users-bounces+p_beheshti=rasana.net@lists.freeradius.org on behalf of Jesse Stone Sent: Sun 9/7/2008 2:56 AM To: FreeRadius users mailing list Subject: Re: Freeradius Usage Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this? Does my network setup need to be like this for it to work: Internet -> Router W/ Wireless -> Nic1 of server running freeradius Nic2 Switch that connects rest of network -Jesse On Sat, Sep 6, 2008 at 3:14 AM, Alan DeKok <aland@deployingradius.com>wrote:
Jesse Stone wrote:
What do large companies that have many users/linux machines use to handle user administration?
LDAP.
And they generally don't have complicated permissions policies. They're just too hard to maintain.
RADIUS is mostly for dial-up or WiFi access.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jesse Stone wrote:
Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this?
Lots. See my site: http://deployingradius.com Alan DeKok.
participants (3)
-
Alan DeKok -
Jesse Stone -
Parham Beheshti