Hi James, Exactly what I have been trying to do for about 6 months, but keep getting distracted by doing something else.
What software do you use for the wildcard DNS? Any example configs? Regards, Alexander Fossa -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCain, Al Sent: 19 September 2005 14:26 To: FreeRadius users mailing list Subject: RE: Walled Garden for Users Without Realms. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Wakefield (Sunet Sysadmin) Sent: Sunday, September 18, 2005 6:27 PM To: FreeRadius users mailing list Subject: Re: Walled Garden for Users Without Realms. G'day Al, We're doing the same thing here changing a dial-up number and migrating off of the NASes that serve that number. My approach is: * Match customers who need to be placed in the walled garden, this is easy enough for our situation, as they're in the huntgroup comprised of the old NASes. I could also match Called-Station-Id if I wanted. * Send specific attributes for those users, giving them a short session timeout (say 5, 10 minutes) which, if they fail to see or heed our message, will motivate them to call helpdesk and get sorted out, and also setting their primary DNS server to one which resolves every hostname to one of your IP addresses using a wildcard zone or some such. If this DNS server is already providing other services, you'll want to use a view for walled garden users, which you may need to facilitate by putting them into a specific subnet. What attribtues you use, exactly, will depend on your NAS gear. * On that IP address that you're resolving * to, is a webserver which displays the message you wish the walled garden users to read. If this webserver already serves other pages, you'll need to do some URL rewriting to send them to the appropriate page eg: using Apache's mod_rewrite. This way, any request for a web page will display your message. Personally, I find the easiest approach is to just dust off a box that's not being used and put the wildcard DNS and webserver on it - it's only got a couple of very simple functions to perform and it's not a critical service. You may also want to consider applying packet filtering to walled garden users as they'll still be able to reach the entire Internet by IP address, though the session timeouts make that only a moderate concern in our situation. You could also do a similar thing with email by setting up a mailserver on the wildcarded IP and bouncing everything with your walled garden message. Personally, I think sending your customers an email and then putting in the web-based walled garden is enough. Cheers, James Wakefield Systems Administrator +61 03 5227 6888 We have now moved head office to 8-12 Pakington Street, Geelong West. McCain, Al wrote: >Hi. > >I was wondering if there was a way to place users in a Walled Garden if >they try to Auth without a Realm. >We are currently running FreeRADIUS Version 0.9.3. Our users are stored >in MySQL. > >Company: >I work for an ISP. We seem to aquire new properties every few months. > >Current structure : > >We have multiple instances of RADIUS running: one for each domain. (I >have NO clue who set it up this way). > >I would like to consolidate these intances into one, and force our >users to use realms. > >Problem: > >We can't just force the customers to use realms. We would need to >notify them of the changes. (This can prove tricky). > >What I would like to see: > >Aside from contacting the customer about changes, I would like to send >the users to a web page after they log in without a realm. The page >would tell them that they need to log in with realms. I believe this >is called hURL'ing, however I cannot seem to find any documentation. > >Has anyone ever done this, or know if it can be done ? > >Any help is greatly appreciated. > >Thanks, >Al > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Very good idea James. I will test that out. -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
