Re: Freeradius-Users Digest, Vol 82, Issue 50
But why not simply create a simple web page, possibly even as a captive portal? It's much easier that way, plus it's real-time and you have no risk of email missing (e.g. due to spam filters, etc).
if I build a webpage, then I also have to authenticate users who present themselves requesting self service
Since I don't know Linux terribly well, I'm asking the group if my proposal is a sensible approach? Am I re-inventing any wheels? Should I consider an alternative method? It's not really linux-specific.
I want to keep the entire radius PIN authentication system on Linux, to keep it independent of Windows, a security "island" perhaps, so in this case, it is Linux specific.
Thanks ----------------------------------------------------------- My brief spec: RADIUS01 would be extended to use SENDMAIL and some Perl or similar processing to monitor a predefined email account such as <mailto:PIN@foobar.org.uk> PIN@foobar.org.uk<mailto:PIN@foobar.org.uk> Why? When will you want radius to send email? During a failed auth? IMHO that's a terrible design, and could easily lead to mail floods. Again, it's easier to just use webpage. You seem to have a perception that the DB can only be modified by radius. It's not. You can have whatever process you want managing the db, and have FR simply reads from it.
Nope, I said "radius01 would be extended" that's a hostname not the radius software. Perhaps I should have made this more clear. In my implementation, RADIUS01 replaces another security island, RSA01.
The Sendmail/Perl script would make calls such as: ?Mysql -u root -p That line REALLY show your newbie-ness.
cheers. helpful.
?<MySQL Password> ?Use radsql ?INSERT INTO radcheck (username, attribute, op, value) VALUES ('janedoe','Cleartext-Password',':=','password'); ?INSERT INTO radusergroup VALUES ('janedoe','dynamic',1); ?QUIT Ever heard of sql functions in scripts? e.g. <http://www.php.net/manual/en/book.mysqli.php>http://www.php.net/manual/en/book.mysqli.php or <http://search.cpan.org/dist/DBD-mysql/lib/DBD/mysql.pm>http://search.cpan.org/dist/DBD-mysql/lib/DBD/mysql.pm ?
of course I have. My post tries to explain what I'm trying to achieve using simple language. Implementation detail isn't required.
Looking at your post, I REALLY suggest you hire an expert instead. Either that, or spend lots of time (e.g. several weeks) to learn and have some trial-and-error.
no, radius, mysql, php - these are all just tools to be learned. I'd rather spend a couple of weeks and build a solution that I know and trust. I'm sure we are all experts in our fields, and as such its much better to expand personal horizons than give in an hire someone.
anyhow, no one responded to say, "it exists, use the xyz-addon" so I'm guessing that I'm not reinventing anything, so I'll crack on. Thanks everyone.
The CBI's (Confederation of British Industry's) registered address is: Centre Point, 103 New Oxford Street, London WC1A 1DU Company number: RC000139
Hi, On Fri, Feb 17, 2012 at 12:54:20AM +0000, Peter Moreton wrote:
But why not simply create a simple web page, possibly even as a captive portal? It's much easier that way, plus it's real-time and you have no risk of email missing (e.g. due to spam filters, etc).
if I build a webpage, then I also have to authenticate users who present themselves requesting self service
(Just FYI - you're quoting your responses the wrong way around according to normal convention - that was *really* confusing to try and understand :-) ) I'd still recommend you go the web route, rather than the e-mail route, but up to you (and if you really do go the e-mail route, save yourself some pain and don't touch sendmail with a bargepole!)
I want to keep the entire radius PIN authentication system on Linux, to keep it independent of Windows, a security "island" perhaps, so in this case, it is Linux specific.
OK, so given your constraint that it's totally independent, I'd personally do: Users visit site, enter username (e-mail address), current pin & new pin to change their pin number. If they can't remember their pin, or it's never been set before, they go to site, "click on remind me of my pin", and the system e-mails it to them. If they have not got one, it generates it, and then sends it. You don't seem to mind pin numbers going over e-mail, so that should be "OK"... If you wanted to be more secure, e-mail a URL with a random hash in it, which takes them back to a page to allow them to change the pin. This stuff has been used for setting/resetting passwords on web sites for years. It's really simple, and everyone understands and knows how to use it. If you *really* want to go the e-mail route, I'd use exim, and probably do the whole lot in the MTA (it can read/update mysql easily), just for the hacky fun of it. But this is really going off-topic for freeradius-users.
no, radius, mysql, php - these are all just tools to be learned. I'd rather spend a couple of weeks and build a solution that I know and trust. I'm sure we are all experts in our fields, and as such its much better to expand personal horizons than give in an hire someone.
:-) My thoughts exactly. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Matthew Newton -
Peter Moreton