Freeradius Usage

Jesse Stone jstone1999 at gmail.com
Sat Sep 6 07:42:37 CEST 2008 

Sorry for the spam, but.. I forgot a part in my current "user add" process:

I then have to have the user login via SSH (after having them download
Putty) so that they can change their password.  Then, I have to disallow
them access to SSH (because they shouldn't be logging directly into the
servers).

On Fri, Sep 5, 2008 at 10:41 PM, Jesse Stone <jstone1999 at gmail.com> wrote:

>  Would Freeradius be the correct technology for this?
>
> For example,
>
> Currently, for me to allow someone access to my OpenVPN server and Samba I
> have to first add them as a standard user with the useradd script.  Then I
> have use smbpasswd -e to enable their account for Samba.  If I wanted that
> user to also be able to SSH into another server I would have to repeat this
> process.  After about 3 users I forgot who has access to what.  This is the
> process I want to simply.  I want 1 place/script that prompts for every
> app/server that I want to restrict access to:  Samba, SSH, Shell access, X,
> ect.  I want this infromation stored in a standard SQL type database though
> so I can easilly manipulate users once they've been created on the fly.
> Perferrably within 1 table like a provided in my last email for an example
> simple user management style.
>
> What do large companies that have many users/linux machines use to handle
> user administration?
>
> -Jesse
>
>
> On Fri, Sep 5, 2008 at 5:30 PM, Edvin Seferovic <edvin.seferovic at kolp.at>wrote:
>
>>  It is a tricky concept, but it can be done with a lot of effort.
>> Probably not for all applications ( since it doesn't make any sense for some
>> of them ). Maybe you should consider making a real network DMZ. The concept
>> of DMZ allows you to define and allow/disallow access to services from the
>> Internet and those from the local LAN. You DO NOT make things or services
>> available "to the DMZ" !
>>
>>
>>
>> Start simple !
>>
>>
>>
>> Regards,
>>
>> E:S
>>
>>
>>
>> *From:* freeradius-users-bounces+edvin.seferovic=kolp.at@
>> lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic>
>> =kolp.at at lists.freeradius.org] *On Behalf Of *Jesse Stone
>> *Sent:* Samstag, 06. September 2008 01:50
>> *To:* FreeRadius users mailing list
>> *Subject:* Re: Freeradius Usage
>>
>>
>>
>> Thank you for the quick response.  I may not have mentioned this
>> previously but I am by no means a linux/networking expert.  The company I
>> work for is pro-MS.  Recently, I got the urge to get back into Linux and
>> here I am.
>>
>>
>>
>> My thinking (in regards to network structure) was that I wanted
>> applications intended to the public as far away from my local lan as
>> posible.  The local lan requires the app server though-  OpenVPN, Samba (as
>> a PDC), misc other things so I wanted it available to the local lan but not
>> to the DMZ.
>>
>>
>>
>> My main questions though are with Freeradius.  My setup is for "hobby"
>> purposes only and already I would have difficulty telling you exactly which
>> users have access to what.
>>
>>
>>
>> I want to using a technology like Freeradius or LDAP create 1 central
>> place on the app server that EVERYTHING would authenication to.  In a
>> perfect world, the end result would be that I could type something like
>> this:
>>
>>
>>
>> select %user% from permissionsDB
>>
>>
>>
>> and be returned something like this:
>>
>>
>>
>> SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares
>> available), Shell Access: No, ect
>>
>>
>>
>> Basically, I want a setup where I can easilly scale upwards without having
>> to "teach" each new application how to use a DB.  Freeradious also can
>> authenicate my wireless users when would also be great as for all I know,
>> half my bandwidth is being used by my neighbors.
>>
>>
>>
>> -Jesse
>>
>> On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic at kolp.at>
>> wrote:
>>
>> Hi,
>>
>>
>>
>> excuse me for asking, but why dont you set up the AppServer in your DMZ ?
>> you could have ( what I call ) the T – structure
>>
>>
>>
>> >< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN
>>
>>                                                                I
>>
>>                                                                I  DMZ
>>
>>                                                                I
>>
>>                                                SERVER2 + APPServer
>>
>>
>>
>> It depends how your users use the gateway and how are they suppose to
>> connect to the Internet.
>>
>>
>>
>> Regards,
>>
>> E:S
>>
>>
>>
>>
>>
>> *From:* freeradius-users-bounces+edvin.seferovic=kolp.at@
>> lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic>
>> =kolp.at at lists.freeradius.org] *On Behalf Of *Jesse Stone
>> *Sent:* Samstag, 06. September 2008 01:25
>> *To:* FreeRadius users mailing list
>> *Subject:* Freeradius Usage
>>
>>
>>
>> Hi All,
>>
>>
>>
>> I am new to this mailing list and am about to ask a probably very silly
>> question.  Please feel free to direct me to resources that'll help me answer
>> them.
>>
>>
>>
>> I want to setup the following:
>>
>>
>>
>> Gateway [server1]
>>
>>        -  nic1 = Internet
>>
>>        -  nic2 = DMZ [server2]
>>
>>        -  nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS
>> SERVER HERE) -> Local Lan
>>
>>
>>
>> I read a lot about both Freeradius and LDAP and cannot determine if either
>> can accomplish my goals.
>>
>>
>>
>> What I want is:
>>
>>
>>
>> 1)  1 central place where all user authenication takes place:   SSH, Shell
>> Access, Samba, OpenVPN, Mumble, Any other app that requires user
>> administration.
>>
>> 2)  This information stored in a SQL type database so that I can build my
>> own custom apps to report on user usage, performance ect.
>>
>> 3)  My router has wireless and I have enabled the security features.  I
>> would still like authenication to take place before a wireless user is
>> allowed on the network.
>>
>>
>>
>> For example,
>>
>>
>>
>> Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local
>> Lan
>>
>>
>>
>> I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan
>>
>>
>>
>> Is Freeradius the best approach for my needs?  Do I need anything else?
>>
>>
>>
>> -Jesse
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080905/df4cc8bc/attachment.html>

More information about the Freeradius-Users mailing list