Radius Self Service

Matthew Newton mcn4 at leicester.ac.uk
Fri Feb 17 03:21:07 CET 2012 

Hi,

On Fri, Feb 17, 2012 at 12:54:20AM +0000, Peter Moreton wrote:
> But why not simply create a simple web page, possibly even as a
> captive portal? It's much easier that way, plus it's real-time and you
> have no risk of email missing (e.g. due to spam filters, etc).
> 
> >> if I build a webpage, then I also have to authenticate users
> >> who present themselves requesting self service

(Just FYI - you're quoting your responses the wrong way around
according to normal convention - that was *really* confusing to
try and understand :-) )

I'd still recommend you go the web route, rather than the e-mail
route, but up to you (and if you really do go the e-mail route,
save yourself some pain and don't touch sendmail with a
bargepole!)

> >> I want to keep the entire radius PIN authentication system on
> >> Linux, to keep it independent of Windows, a security "island"
> >> perhaps, so in this case, it is Linux specific.

OK, so given your constraint that it's totally independent, I'd
personally do:

  Users visit site, enter username (e-mail address), current pin &
  new pin to change their pin number.

  If they can't remember their pin, or it's never been set before,
  they go to site, "click on remind me of my pin", and the system
  e-mails it to them. If they have not got one, it generates it, and
  then sends it.

You don't seem to mind pin numbers going over e-mail, so that
should be "OK"... If you wanted to be more secure, e-mail a URL
with a random hash in it, which takes them back to a page to allow
them to change the pin.

This stuff has been used for setting/resetting passwords on web
sites for years. It's really simple, and everyone understands and
knows how to use it.

If you *really* want to go the e-mail route, I'd use exim, and
probably do the whole lot in the MTA (it can read/update mysql
easily), just for the hacky fun of it.

But this is really going off-topic for freeradius-users.

> >> no, radius, mysql, php - these are all just tools to be
> >> learned. I'd rather spend a couple of weeks and build a
> >> solution that I know and trust. I'm sure we are all experts
> >> in our fields, and as such its much better to expand personal
> >> horizons than give in an hire someone.

:-) My thoughts exactly.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list