self user registration

Dusty Doris freeradius at
Mon Jul 11 22:33:21 CEST 2005

Check out the Cisco SSG/SESM solution.  You route all the traffic through
one (or many) SSG's.  The SSG will determine whether or not the session is
authenticated based on IP address.  If not, it will redirect the user to
the SESM page, where they will login.  The SESM will send the
username/password to RADIUS and then communicate back to the SSG whether
or not it was successful and certain reply attributes that define the
profile they have access to.  Then the user will be redirected back to the
page they originally created.

We use it here for our Wifi APs around the city.  The downfall of it, is
that the sessions are based on IP, so NAT will break it.  If you have your
APs setup to NAT/PAT the connections behind it, then only one user will
have to authenticate and all will be authenticated.  You get around that
by making the APs a simple bridge and assign IPs to the PCs connected to
it via DHCP.

If you decide to use the SSG/SESM, I can send you informatoin on how to
configure Freeradius for it as I am doing this now.

The other nice thing about it, is that it will support multiple profiles
that can be stored in RADIUS.  So, you could have the user login to
different services, or different ISPs, etc..  Based on something, such as
a realm, the RADIUS server will return which profile the user now has
access to.  The SSG will then allow access to the services defined in that
profile.  You can also define the ACLs, next hop, etc.. in the RADIUS
server for that profile and the SSGs can simply query RADIUS for that
information.  That helps so you don't have to configure multiple profiles
on each SSG, its all in RADIUS.

You can also do walled gardens within it, so unauthenticated users can
still have access to local content (such as company info, portal pages,
dns, other local websites, etc...).

-Dusty Doris

On Mon, 11 Jul 2005, Michael Fisher wrote:

> Unfortunatly this solution must be able to scale up. We have already
> assesed other technologies but they are not to our liking. Since there
> will be many APs in a certain area so they must be abble to grab account
> info from a central server.
> jck-freeradius at wrote:
> >On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote:
> >
> >
> >
> >>How about simply firewalling unauthenticated connections and routing all
> >>access requests to a secured website running a registration script.
> >>
> >>This may not scale to a large deployment without a fair bit of work but
> >>for a small to medium sized network it should be fairly easy.
> >>

More information about the Freeradius-Users mailing list