Freeradius Usage

Edvin Seferovic edvin.seferovic at kolp.at
Sat Sep 6 02:30:25 CEST 2008 

It is a tricky concept, but it can be done with a lot of effort. Probably
not for all applications ( since it doesn't make any sense for some of them
). Maybe you should consider making a real network DMZ. The concept of DMZ
allows you to define and allow/disallow access to services from the Internet
and those from the local LAN. You DO NOT make things or services available
"to the DMZ" !

 

Start simple !

 

Regards,

E:S

 

From: freeradius-users-bounces+edvin.seferovic=kolp.at at lists.freeradius.org
[mailto:freeradius-users-bounces+edvin.seferovic=kolp.at at lists.freeradius.or
g] On Behalf Of Jesse Stone
Sent: Samstag, 06. September 2008 01:50
To: FreeRadius users mailing list
Subject: Re: Freeradius Usage

 

Thank you for the quick response.  I may not have mentioned this previously
but I am by no means a linux/networking expert.  The company I work for is
pro-MS.  Recently, I got the urge to get back into Linux and here I am.  

 

My thinking (in regards to network structure) was that I wanted applications
intended to the public as far away from my local lan as posible.  The local
lan requires the app server though-  OpenVPN, Samba (as a PDC), misc other
things so I wanted it available to the local lan but not to the DMZ.

 

My main questions though are with Freeradius.  My setup is for "hobby"
purposes only and already I would have difficulty telling you exactly which
users have access to what.

 

I want to using a technology like Freeradius or LDAP create 1 central place
on the app server that EVERYTHING would authenication to.  In a perfect
world, the end result would be that I could type something like this:

 

select %user% from permissionsDB

 

and be returned something like this:

 

SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares
available), Shell Access: No, ect

 

Basically, I want a setup where I can easilly scale upwards without having
to "teach" each new application how to use a DB.  Freeradious also can
authenicate my wireless users when would also be great as for all I know,
half my bandwidth is being used by my neighbors.

 

-Jesse

On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic at kolp.at>
wrote:

Hi,

 

excuse me for asking, but why dont you set up the AppServer in your DMZ ?
you could have ( what I call ) the T - structure

 

>< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN

                                                               I

                                                               I  DMZ

                                                               I

                                               SERVER2 + APPServer

 

It depends how your users use the gateway and how are they suppose to
connect to the Internet. 

 

Regards,

E:S

                                                               

 

From: freeradius-users-bounces+edvin.seferovic=kolp.at <http://kolp.at/>
@lists.freeradius.org <http://lists.freeradius.org/>
[mailto:freeradius-users-bounces+edvin.seferovic
<mailto:freeradius-users-bounces%2Bedvin.seferovic> =kolp.at
<http://kolp.at/> @lists.freeradius.org <http://lists.freeradius.org/> ] On
Behalf Of Jesse Stone
Sent: Samstag, 06. September 2008 01:25
To: FreeRadius users mailing list
Subject: Freeradius Usage

 

Hi All,

 

I am new to this mailing list and am about to ask a probably very silly
question.  Please feel free to direct me to resources that'll help me answer
them.

 

I want to setup the following:

 

Gateway [server1]

       -  nic1 = Internet

       -  nic2 = DMZ [server2]

       -  nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS
SERVER HERE) -> Local Lan

 

I read a lot about both Freeradius and LDAP and cannot determine if either
can accomplish my goals.

 

What I want is:

 

1)  1 central place where all user authenication takes place:   SSH, Shell
Access, Samba, OpenVPN, Mumble, Any other app that requires user
administration.

2)  This information stored in a SQL type database so that I can build my
own custom apps to report on user usage, performance ect.

3)  My router has wireless and I have enabled the security features.  I
would still like authenication to take place before a wireless user is
allowed on the network.

 

For example, 

 

Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local
Lan

 

I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan

 

Is Freeradius the best approach for my needs?  Do I need anything else?  

 

-Jesse

 


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080906/38ae4b1e/attachment.html>

More information about the Freeradius-Users mailing list