Greetings, All I have a FreeBSD-based gateway server running pfSense software. This is the only server directly connected to the internet. It distributes (port forwards) all incoming internet requests to about five back-end servers based on static IP address and/or ports. I have a new FreeRADIUS/MySQL server among the five back-end servers. I just completed installation, configuration and testing of this server. I want to authenticate and authorize all incoming http(s) requests before allowing access to any back-end services. However, I seemed to have missed something fundamental about the FreeRADIUS server - what do I do next?? How do I "attach" FreeRADIUS to the inbound TCP stream to accept/reject requests?? Where does the accept/reject response go?? The available documentation did not discuss deployment... Any links or tips would be appreciated. Cheers, Rubix Cube
On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves <thomas_reeves@verizon.net> wrote:
I have a FreeBSD-based gateway server running pfSense software.
I want to authenticate and authorize all incoming http(s) requests before allowing access to any back-end services.
However, I seemed to have missed something fundamental about the FreeRADIUS server – what do I do next?? How do I “attach” FreeRADIUS to the inbound TCP stream to accept/reject requests??
That question would be better addressed to pfSense support/discussion list. radius does not really care what the end usage is, it simply provides Authentication, Authorization, and Accounting (AAA). Here's a similar example: you can limit which users are allowed to use wireless network on your office by listing the users and their respective password on a radius server. But to get the actual limitation to work, you need to configure your wireless access point to "ask" radius whether a particular user/password combination is allowed. Does this make sense so far? -- Fajar
Thanks for your reply, Fajar. In your example, is the wireless access point the "client" that I've seen referred to in some of the FreeRADIUS documentation? If yes, then I would have these three "clients": 1. Apache web server 2. Open-Xchange server (java-based) 3. Postfix + Dovecot mail server So, my "clients" should pass a userid/password to FreeRADIUS and receive back an accept or reject from FreeRADIUS? Thomas -----Original Message----- From: freeradius-users-bounces+thomas_reeves=verizon.net@lists.freeradius.org [mailto:freeradius-users-bounces+thomas_reeves=verizon.net@lists.freeradius. org] On Behalf Of Fajar A. Nugraha Sent: Monday, July 05, 2010 1:44 AM To: FreeRadius users mailing list Subject: Re: What Next?? On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves <thomas_reeves@verizon.net> wrote:
I have a FreeBSD-based gateway server running pfSense software.
I want to authenticate and authorize all incoming http(s) requests before allowing access to any back-end services.
However, I seemed to have missed something fundamental about the FreeRADIUS server what do I do next?? How do I attach FreeRADIUS to the inbound TCP stream to accept/reject requests??
That question would be better addressed to pfSense support/discussion list. radius does not really care what the end usage is, it simply provides Authentication, Authorization, and Accounting (AAA). Here's a similar example: you can limit which users are allowed to use wireless network on your office by listing the users and their respective password on a radius server. But to get the actual limitation to work, you need to configure your wireless access point to "ask" radius whether a particular user/password combination is allowed. Does this make sense so far? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Fajar A. Nugraha -
Thomas Reeves