Freeradius Usage
Jesse Stone
jstone1999 at gmail.com
Sat Sep 6 07:41:01 CEST 2008
Would Freeradius be the correct technology for this?
For example,
Currently, for me to allow someone access to my OpenVPN server and Samba I
have to first add them as a standard user with the useradd script. Then I
have use smbpasswd -e to enable their account for Samba. If I wanted that
user to also be able to SSH into another server I would have to repeat this
process. After about 3 users I forgot who has access to what. This is the
process I want to simply. I want 1 place/script that prompts for every
app/server that I want to restrict access to: Samba, SSH, Shell access, X,
ect. I want this infromation stored in a standard SQL type database though
so I can easilly manipulate users once they've been created on the fly.
Perferrably within 1 table like a provided in my last email for an example
simple user management style.
What do large companies that have many users/linux machines use to handle
user administration?
-Jesse
On Fri, Sep 5, 2008 at 5:30 PM, Edvin Seferovic <edvin.seferovic at kolp.at>wrote:
> It is a tricky concept, but it can be done with a lot of effort. Probably
> not for all applications ( since it doesn't make any sense for some of them
> ). Maybe you should consider making a real network DMZ. The concept of DMZ
> allows you to define and allow/disallow access to services from the Internet
> and those from the local LAN. You DO NOT make things or services available
> "to the DMZ" !
>
>
>
> Start simple !
>
>
>
> Regards,
>
> E:S
>
>
>
> *From:* freeradius-users-bounces+edvin.seferovic=kolp.at@
> lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic>
> =kolp.at at lists.freeradius.org] *On Behalf Of *Jesse Stone
> *Sent:* Samstag, 06. September 2008 01:50
> *To:* FreeRadius users mailing list
> *Subject:* Re: Freeradius Usage
>
>
>
> Thank you for the quick response. I may not have mentioned this previously
> but I am by no means a linux/networking expert. The company I work for is
> pro-MS. Recently, I got the urge to get back into Linux and here I am.
>
>
>
> My thinking (in regards to network structure) was that I wanted
> applications intended to the public as far away from my local lan as
> posible. The local lan requires the app server though- OpenVPN, Samba (as
> a PDC), misc other things so I wanted it available to the local lan but not
> to the DMZ.
>
>
>
> My main questions though are with Freeradius. My setup is for "hobby"
> purposes only and already I would have difficulty telling you exactly which
> users have access to what.
>
>
>
> I want to using a technology like Freeradius or LDAP create 1 central place
> on the app server that EVERYTHING would authenication to. In a perfect
> world, the end result would be that I could type something like this:
>
>
>
> select %user% from permissionsDB
>
>
>
> and be returned something like this:
>
>
>
> SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares
> available), Shell Access: No, ect
>
>
>
> Basically, I want a setup where I can easilly scale upwards without having
> to "teach" each new application how to use a DB. Freeradious also can
> authenicate my wireless users when would also be great as for all I know,
> half my bandwidth is being used by my neighbors.
>
>
>
> -Jesse
>
> On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic at kolp.at>
> wrote:
>
> Hi,
>
>
>
> excuse me for asking, but why dont you set up the AppServer in your DMZ ?
> you could have ( what I call ) the T – structure
>
>
>
> >< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN
>
> I
>
> I DMZ
>
> I
>
> SERVER2 + APPServer
>
>
>
> It depends how your users use the gateway and how are they suppose to
> connect to the Internet.
>
>
>
> Regards,
>
> E:S
>
>
>
>
>
> *From:* freeradius-users-bounces+edvin.seferovic=kolp.at@
> lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic>
> =kolp.at at lists.freeradius.org] *On Behalf Of *Jesse Stone
> *Sent:* Samstag, 06. September 2008 01:25
> *To:* FreeRadius users mailing list
> *Subject:* Freeradius Usage
>
>
>
> Hi All,
>
>
>
> I am new to this mailing list and am about to ask a probably very silly
> question. Please feel free to direct me to resources that'll help me answer
> them.
>
>
>
> I want to setup the following:
>
>
>
> Gateway [server1]
>
> - nic1 = Internet
>
> - nic2 = DMZ [server2]
>
> - nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS
> SERVER HERE) -> Local Lan
>
>
>
> I read a lot about both Freeradius and LDAP and cannot determine if either
> can accomplish my goals.
>
>
>
> What I want is:
>
>
>
> 1) 1 central place where all user authenication takes place: SSH, Shell
> Access, Samba, OpenVPN, Mumble, Any other app that requires user
> administration.
>
> 2) This information stored in a SQL type database so that I can build my
> own custom apps to report on user usage, performance ect.
>
> 3) My router has wireless and I have enabled the security features. I
> would still like authenication to take place before a wireless user is
> allowed on the network.
>
>
>
> For example,
>
>
>
> Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local
> Lan
>
>
>
> I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan
>
>
>
> Is Freeradius the best approach for my needs? Do I need anything else?
>
>
>
> -Jesse
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080905/c684ed15/attachment.html>
More information about the Freeradius-Users
mailing list