On Tue, 8 Jun 2004, Andy Holyer wrote:
> I'd like to configure FreeRadius to run a wireless hotspot service for
> customers of our ISP.
>
> I'm still at the planning stage, but this is what I'd like to do:
>
> I set up a perl script to produce username/password combinations which
> will have 1 hour/ 6 hours/ 12 hours of life in them (for different
> value scratch cards)
>
> We get scratch cards made up with the above authorizations, and I enter
> the details into FreeRadius.
>
> Customers at the hotspot location buy the cards, and use the details to
> to connect to the net (time can be split across different
> sessions/locations at customers wish).
>
> Once the time is used up, FreeRadius deletes the account details.
>
> Is this feasable? Easy to do? I've got FreeRadius installed on our
> Freebsd server, but that's as far as I have got.
>
> Any suggestions as to the best way of supplying the account details to
> freeradius/configuring time-limited accounts gratefully recieved.
>
> I'm sure there must be a FAQ about this.
>
> Thanks in advance for any advice.
We 've created a per day anonymous account system for our university library
public computers which may be of help. That way you won't need to add any
information inside freeradius apart from creating a small script to be run on
authentication and a user.
Here goes:
Create a username hotspot-service with a *really* difficult password for
starting point. I am using ldap but that can also be used in sql and in the
files module (in the latter you can't have some features which are available in
ldap/sql due to inability to set the search filter).
You then create usernames with the simple formula user<number>:
user1,user2,...,user123
Passwords for these users can be created with the following formula (we also use
the day to create per day accounts but that does not matter):
SECRET=<one really long and hard to guess secret word>
DATA=SECRET . USERNAME . <HOURS ALLOWED TO LOGIN>
DIGEST=MD5(DATA)
KEEP ONLY THE FIRST 6 BYTES of DIGEST
BASE64 encode them
USERPASSWORD = HOTSPOT-SERVICEPASSWORD ^ DIGEST
and you have a 8 character quite hard to guess password. This
isn't a cryptographical masterpiece but it works quite well and is fairly
secure. Obviously you can keep more bytes and create larger and more secure
passwords.
Also instead of an easily guessed username you could use a card PIN for the
username which will be more secure.
On login the users also use a realm signifying that they are using the hotspot
service and the scratch card category, like:
<user>@hotspot1
<user>@hotspot6
<user>@hotspot12
You use that realm to set the Max-Session limit for the counter module (which
is configured with reset=never):
DEFAULT Realm == "hotspot1", Max-Session := 3600,Autz-Type := "hotspot"
DEFAULT Realm == "hotspot6", Max-Session := 21600,Autz-Type := "hotspot"
Using Autz-Type you do something like:
authorize{
files
Autz-Type hotspot {
hotspot_ldap
anonymous_passwd
rewrite_passwd
}
}
Where ldap is configured with a search filter:
filter="(uid=hotspot-service)"
That way you also have a single point where you change the dialup settings for
all your users.
anonymous_passwd is a script:
DATA = SECRET . USERNAME
DIGEST = MD5(DATA)
KEEP ONLY THE FIRST 6
BASE64_DECODE(USERPASSWORD)
USERPASSWORD ^ DIGEST
ENCODE_BASE64(RESULT)
You use the output to rewrite the supplied user password in the request.
If the password provided by the user is correct the result should be the REALLY
SECRET PASSWORD. If it is, then the user will be authenticated successfully. The
nice thing is that in such a way you can have accounting/failed login log for
all these users without storing them anywhere.
Obviously the above can work with PAP and EAP-TTLS(PAP) not with CHAP/MS-CHAP
Feel free to contact me directly for any more details or help.
>
> ---
> Andy Holyer, Technical stuff
> Hedgehog Broadband, 11 Marlborough Place Brighton BN1 1UB
> 08451 260895 x 241
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
