RE: Freeradius-Users Digest, Vol 82, Issue 52
Matthew, thanks for your replies, I think you are right inasmuch as I should create a web portal as you described: 1/ Users visit site, enter username (e-mail address), current pin new pin to change their pin number. System emails confirmation of PIN change. 2/ If they can't remember their pin, or it's never been set before, they go to site, click on remind me of my pin, and the system e-mails it to them. If they have not got one, it generates it, and then sends it. Perfect! - that's the spec I'll work to... now I've just gotta learn a whole heap of linuxy-stuff! (*So* much more interesting to work with than Windows tho, and reminds me somehow, of the fun days of OpenVMS) Peter Moreton *** The CBI's (Confederation of British Industry's) registered address is: Centre Point, 103 New Oxford Street, London WC1A 1DU Company number: RC000139 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 82, Issue 50
But why not simply create a simple web page, possibly even as a captive portal? It's much easier that way, plus it's real-time and you have no risk of email missing (e.g. due to spam filters, etc). if I build a webpage, then I also have to authenticate users who present themselves requesting self service Since I don't know Linux terribly well, I'm asking the group if my proposal is a sensible approach? Am I re-inventing any wheels? Should I consider an alternative method? It's not really linux-specific. I want to keep the entire radius PIN authentication system on Linux, to keep it independent of Windows, a security island perhaps, so in this case, it is Linux specific. Thanks --- My brief spec: RADIUS01 would be extended to use SENDMAIL and some Perl or similar processing to monitor a predefined email account such as mailto:p...@foobar.org.uk p...@foobar.org.ukmailto:p...@foobar.org.uk Why? When will you want radius to send email? During a failed auth? IMHO that's a terrible design, and could easily lead to mail floods. Again, it's easier to just use webpage. You seem to have a perception that the DB can only be modified by radius. It's not. You can have whatever process you want managing the db, and have FR simply reads from it. Nope, I said radius01 would be extended that's a hostname not the radius software. Perhaps I should have made this more clear. In my implementation, RADIUS01 replaces another security island, RSA01. The Sendmail/Perl script would make calls such as: ?Mysql -u root -p That line REALLY show your newbie-ness. cheers. helpful. ?MySQL Password ?Use radsql ?INSERT INTO radcheck (username, attribute, op, value) VALUES ('janedoe','Cleartext-Password',':=','password'); ?INSERT INTO radusergroup VALUES ('janedoe','dynamic',1); ?QUIT Ever heard of sql functions in scripts? e.g. http://www.php.net/manual/en/book.mysqli.phphttp://www.php.net/manual/en/book.mysqli.php or http://search.cpan.org/dist/DBD-mysql/lib/DBD/mysql.pmhttp://search.cpan.org/dist/DBD-mysql/lib/DBD/mysql.pm ? of course I have. My post tries to explain what I'm trying to achieve using simple language. Implementation detail isn't required. Looking at your post, I REALLY suggest you hire an expert instead. Either that, or spend lots of time (e.g. several weeks) to learn and have some trial-and-error. no, radius, mysql, php - these are all just tools to be learned. I'd rather spend a couple of weeks and build a solution that I know and trust. I'm sure we are all experts in our fields, and as such its much better to expand personal horizons than give in an hire someone. anyhow, no one responded to say, it exists, use the xyz-addon so I'm guessing that I'm not reinventing anything, so I'll crack on. Thanks everyone. *** The CBI's (Confederation of British Industry's) registered address is: Centre Point, 103 New Oxford Street, London WC1A 1DU Company number: RC000139 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius GUI admin tool for SQL user entries?
Having got a working FREERADIUS + MySQL setup working, with usernames and MD5 password hashes being held in the radcheck SQL table. Now, I'm wondering if there is any neat, GUI admin tool to allow our sysadmins to be able to add users, update passwords etc with have to key sql statements? Thanks, Peter *** The CBI's (Confederation of British Industry's) registered address is: Centre Point, 103 New Oxford Street, London WC1A 1DU Company number: RC000139 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to encrypt Passwords?
I have a working Freeradius server with user information held in /etc/raddb/users in the form username Cleartext-Password = ABCD We have to store the passwords in some hashed or encrypted format and I'm posting the the list to ask how this is done. Can the 'users' file support ciphertext passwords? Or do we have to store our users in some SQL database? Thanks, Peter *** The CBI's (Confederation of British Industry's) registered address is: Centre Point, 103 New Oxford Street, London WC1A 1DU Company number: RC000139 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 80, Issue 65
Hi Rudolf, So it can be done, that's what I wanted to know really. I appreciate that all I am going to get is dual-passwords (1 LDAP, 1 Pin) but this will lift the level of security somewhat, and make it far harder to guess simple Username/Password combinations. Thanks, Peter Perhaps you may want delivering PIN to user's cellular over SMS. Anyway Freeradius seems not to be enough, at least you would need some external database and web server - both for creating and storing PINs. I did the task using FR, Apache and MySql. As I see, my concept is quite similar to Nick's one. Regards, Rudolf. *** The CBI's (Confederation of British Industry's) registered address is: Centre Point, 103 New Oxford Street, London WC1A 1DU Company number: RC000139 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius as a PIN server?
Sorry for the newbie question, but, quite simply, could Freeradius be configured to provide a simple 'PIN Server' ? - I want users to be able to choose a 4 digit PIN, and then have Freeradius validate Logon requests using the username/PIN combination (in addition to some separate LDAP authentication) Really, I am looking to build a lightweight 2-factor authentication system, without the expense of RSA SecurID or similar. Regards, Peter Moreton *** The CBI's (Confederation of British Industry's) registered address is: Centre Point, 103 New Oxford Street, London WC1A 1DU Company number: RC000139 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html