Re: New design/deployment of freeradius
On 05/22/2013 12:58 AM, Tena Gore wrote: I'd like to verify that I'm on the right track here with setting up the protocols and types to use. See: http://deployingradius.com/documents/protocols/compatibility.html We have to use PAP because of not having clear text passwords? Well, you said what it's wasn't, but didn't say what it *was*. MSCHAP requires the NT hash, or the cleartext to generate the NT hash. If you have a crypt (old or new style) then yes, you will need to use PAP. To avoid client certificates, we can use PEAP type of EAP? PEAP does not support PAP, only MSCHAP. To use PAP you must use EAP-TTLS. This isn't supported on Windows = 7 without 3rd party software. Also, we have a wildcard domain SSL certificate, can this be used or do we have to create a new one for this purpose on the server? People have reported problems with wildcard certs and windows clients. See the list archives. Is there a recommended configuration for this type of deployment? Do you have any tips or tricks that would make our deployment go smoother? Recommended would be to move to store plaintext passwords, which will let you use the full variety of EAP methods. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New design/deployment of freeradius
Hi, I'm new to radius so I have some basic questions regarding the design and deployment of our freeradius server. We want to use freeradius for our BYOD deployment. We have the following: Ubuntu, OpenLDAP, Ruckus Zone Director and a Safe_Connect NAC. Our passwords are not clear text in ldap. We would like to avoid client certificates and we would like to do dynamic VLAN assignments. I'd like to verify that I'm on the right track here with setting up the protocols and types to use. We have to use PAP because of not having clear text passwords? To avoid client certificates, we can use PEAP type of EAP? those 2 dont go together - you cannot have PAP with PEAP. EAP-TTLS has a PAP method but then some clients dont have EAP-TTLS ability (and some do with an extra supplicant installed). Also, we have a wildcard domain SSL certificate, can this be used or do we have to create a new one for this purpose on the server? some clients dont like such..but so long as the RADIUS server is signed with certificate that has the required extensions you'll be okay Is there a recommended configuration for this type of deployment? Do you have any tips or tricks that would make our deployment go smoother? ?? theres hundreds of ways of deploying. however, so long as your LDAP backend has the entries that allow you to distinguish between eg a registered device (eg known MAC) or type of ID eg staff or student, you can do the required policies. FreeRADIUS can return the required reply values to your kit to instruct the VLAN/WLAN ID/number. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New design/deployment of freeradius
Thank you all for your replies. Our passwords are SALTED SHA1 encoded, so the chart you so kindly directed me to states we would have to use EAP-GTC with PAP. Seems I have quite a steep learning curve in a short amount of time. On Wed, May 22, 2013 at 12:13 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 05/22/2013 12:58 AM, Tena Gore wrote: I'd like to verify that I'm on the right track here with setting up the protocols and types to use. See: http://deployingradius.com/**documents/protocols/**compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html We have to use PAP because of not having clear text passwords? Well, you said what it's wasn't, but didn't say what it *was*. MSCHAP requires the NT hash, or the cleartext to generate the NT hash. If you have a crypt (old or new style) then yes, you will need to use PAP. To avoid client certificates, we can use PEAP type of EAP? PEAP does not support PAP, only MSCHAP. To use PAP you must use EAP-TTLS. This isn't supported on Windows = 7 without 3rd party software. Also, we have a wildcard domain SSL certificate, can this be used or do we have to create a new one for this purpose on the server? People have reported problems with wildcard certs and windows clients. See the list archives. Is there a recommended configuration for this type of deployment? Do you have any tips or tricks that would make our deployment go smoother? Recommended would be to move to store plaintext passwords, which will let you use the full variety of EAP methods. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New design/deployment of freeradius
Hello, I'm new to radius so I have some basic questions regarding the design and deployment of our freeradius server. We want to use freeradius for our BYOD deployment. We have the following: Ubuntu, OpenLDAP, Ruckus Zone Director and a Safe_Connect NAC. Our passwords are not clear text in ldap. We would like to avoid client certificates and we would like to do dynamic VLAN assignments. I'd like to verify that I'm on the right track here with setting up the protocols and types to use. We have to use PAP because of not having clear text passwords? To avoid client certificates, we can use PEAP type of EAP? Also, we have a wildcard domain SSL certificate, can this be used or do we have to create a new one for this purpose on the server? Is there a recommended configuration for this type of deployment? Do you have any tips or tricks that would make our deployment go smoother? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS Deployment
On 16 Aug 2012, at 23:01, Julson, Jim jjul...@marketron.com wrote: I'm not sure I get what you mean by (citation needed). Forgive me, I hope I didn't do something wrong by posting that to the List. Sorry if I caused a problem. From what i've read DA (directly attached) storage still has the lead over SAN based storage in terms of IOP/s and bandwidth. So suggesting a SAN based solution for the database data volume seemed a bit strange, and I was wondering if you had any evidence to back it up. -Arran http://knowyourmeme.com/memes/citation-needed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New FreeRADIUS Deployment
Oh I see now. Forgive my ignorance with the terms. Let me explain a bit more about the logic behind that. I work for a Television and Radio broadcast software development company. Our software is entirely dependant upon MSSQL, MySQL and PostgreSQL. Since we virtualize about 75% of our environment, including SQL servers, and run everything in redundant pools via XenMotion, we have to utilize SANS. Performance wise, we see better disk utilization, and IOP performance when connected to the SANS space versus DA storage on a typical RAID 1, or 5 for redundancy.We use both RAID z and RAID 10 at this point, as for the last 15 years we've gone through every configuration you could think of. I've been architecting DB infrastructures for companies like Capital One and my current company on very large scales for many years, and given the proper budget, and initial design, a SAN infrastructure can (and is) a very fast one. Additionally, we use 8GB fiber on every host for the SAN space as well as separate 10GB Ethernet uplinks to these hosts. Now, my email to the gentleman before, was based on the assumption (I know, shame on me), that he's buy a Dell, IBM, or HP server of some sort, and it would have your standard Perc or QLogic RAID controller that supports standard RAID 0, 1 or 5 configurations. Given the amount of IO he was expecting, I proposed he offload the DB services to another physical source to ensure that local functions were uninterrupted. Obviously with any *SQL configuration, offloading the DB files to separate physical spindles is the best, simply due to the nature of any Database engine (You know, traditional LOGS and DATA on separate physical spindles etc..) So I guess I should have cited my logic behind it as well. Sorry for the confusion, and thanks for keeping folks accountable. It's good that all the information is put out there in it's entirety with real life experience, and not just do it this way because I say so. As for proof, hehe, not sure how to prove the last 15 years of work I've done. I can just tell you what my experience has been with the given technologies. Hope that helps my friend. Have a good one. -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Friday, August 17, 2012 9:59 AM To: FreeRadius users mailing list Subject: Re: New FreeRADIUS Deployment On 16 Aug 2012, at 23:01, Julson, Jim jjul...@marketron.com wrote: I'm not sure I get what you mean by (citation needed). Forgive me, I hope I didn't do something wrong by posting that to the List. Sorry if I caused a problem. From what i've read DA (directly attached) storage still has the lead over SAN based storage in terms of IOP/s and bandwidth. So suggesting a SAN based solution for the database data volume seemed a bit strange, and I was wondering if you had any evidence to back it up. -Arran http://knowyourmeme.com/memes/citation-needed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New FreeRADIUS Deployment
Dear friends, I searched list archive, but I couldn't find anything about this. I need to correctly design and deploy a brand new FreeRADIUS server. It will receive about 25.000 simultaneous users, so I'm planning to have, at least, two servers. My questions are: 1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? 3. Any recommendations to the backup policy? Best regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS Deployment
Dear friends, I searched list archive, but I couldn't find anything about this. I need to correctly design and deploy a brand new FreeRADIUS server. It will receive about 25.000 simultaneous users, so I'm planning to have, at least, two servers. My questions are: 1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? Should be possible with off-the-shelve hardware. Some middle-class server should be enough. 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? more than 10.000? You should use a SQL backend storage. use replication scheme of the SQL database. Or use DRBD to replicate disk partitions. 3. Any recommendations to the backup policy? Ordinary backup solution of the SQL database. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New FreeRADIUS Deployment
1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? Anything standard and new will do the trick here. You don't need Pie in the sky, just make sure you have 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? Do you have a SAN that you could utilize? For performance, I'd suggest a MySQL Cluster running on something with quite a few spindles. The SAN provides great performance in that arena. Otherwise, you are looking at having to do a Master/Slave scenario for MySQL DB Replication 3. Any recommendations to the backup policy? Just your standard nightly full backups to disk, then to either tape, SAN or offsite storage of some kind. Best regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS Deployment
Do you have a SAN that you could utilize? For performance, I’d suggest a MySQL Cluster running on something with quite a few spindles. The SAN provides great performance in that arena. Otherwise, you are looking at having to do a Master/Slave scenario for MySQL DB Replication (citation needed) :) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New FreeRADIUS Deployment
My message was truncated somehow... For point 1, I was going to just say, the more spindles for the hard drives the better, and a normal amount of RAM, like 4GB or so. You will have a decent amount of IOPS, especially if you go with MySQL. However, point 2 might take care of that. From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Julson, Jim Sent: Thursday, August 16, 2012 2:24 PM To: FreeRadius users mailing list Subject: RE: New FreeRADIUS Deployment 1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? Anything standard and new will do the trick here. You don't need Pie in the sky, just make sure you have 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? Do you have a SAN that you could utilize? For performance, I'd suggest a MySQL Cluster running on something with quite a few spindles. The SAN provides great performance in that arena. Otherwise, you are looking at having to do a Master/Slave scenario for MySQL DB Replication 3. Any recommendations to the backup policy? Just your standard nightly full backups to disk, then to either tape, SAN or offsite storage of some kind. Best regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New FreeRADIUS Deployment
I'm not sure I get what you mean by (citation needed). Forgive me, I hope I didn't do something wrong by posting that to the List. Sorry if I caused a problem. -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, August 16, 2012 2:57 PM To: FreeRadius users mailing list Subject: Re: New FreeRADIUS Deployment Do you have a SAN that you could utilize? For performance, I'd suggest a MySQL Cluster running on something with quite a few spindles. The SAN provides great performance in that arena. Otherwise, you are looking at having to do a Master/Slave scenario for MySQL DB Replication (citation needed) :) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: New FreeRADIUS Deployment
Ok, friends, Thank you very much for start discussing. Let's get that more objective. RADIUS Server: any CPU, 4 GB RAM, any disk space / any Linux Database Server: any CPU, RAM (???), disk space (???), MySQL / any Linux Additional: SAN to enable database cluster (any tip?) Am I right? What would be answers to the question marks? Kind regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner De: freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org [mailto:freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org] Em nome de Julson, Jim Enviada em: quinta-feira, 16 de agosto de 2012 17:53 Para: FreeRadius users mailing list Assunto: RE: New FreeRADIUS Deployment My message was truncated somehow... For point 1, I was going to just say, the more spindles for the hard drives the better, and a normal amount of RAM, like 4GB or so. You will have a decent amount of IOPS, especially if you go with MySQL. However, point 2 might take care of that. From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Julson, Jim Sent: Thursday, August 16, 2012 2:24 PM To: FreeRadius users mailing list Subject: RE: New FreeRADIUS Deployment 1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? Anything standard and new will do the trick here. You don't need Pie in the sky, just make sure you have 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? Do you have a SAN that you could utilize? For performance, I'd suggest a MySQL Cluster running on something with quite a few spindles. The SAN provides great performance in that arena. Otherwise, you are looking at having to do a Master/Slave scenario for MySQL DB Replication 3. Any recommendations to the backup policy? Just your standard nightly full backups to disk, then to either tape, SAN or offsite storage of some kind. Best regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New FreeRADIUS Deployment
### Q: RADIUS Server: any CPU, 4 GB RAM, any disk space / any Linux A: A reasonable amount of Disk space, something like 30GB should be more than sufficient, particularly if your SAN is housing your databases. As for distro, I'm a fan of CentOS 6.2/6.3 or Ubuntu 12.04. I actually have both in production behind load balancers. ### ### Q: Database Server: any CPU, RAM (???), disk space (???), MySQL / any Linux A: This is just me, but I'd suggest running both MySQL and FreeRADIUS on the same servers if you can keep the actually data off of the server, and on a SAN. This is because in terms of processor, RAM, and Network IO, MySQL won't peg the system very hard at all. Of course, if budget is of no consequence, then of course separating out services is always fine. But I like to keep all my DB queries local where I can, especially for network intensive operations. This will have to be looked at and integrated into your environment based upon your current variables. There are just too many ways to go, and there is no 1 particulary right way. (Though some may disagree) To touch on this further though, RAM is cheap, and if you house them on the same servers, I'd probably make sure you had 6GB to dedicate to MySQL, and about 2-4GB to the OS. Getting 12GB of RAM on a system nowadays is nothing, so if you can, I'd do that. ### ### Q: Additional: SAN to enable database cluster (any tip?) A: If you have a SAN Available, it's pretty straight forward. You will create a volume, carve out a LUN, assign it to the Linux Servers, and then mount the partition to begin using it. Both of your FreeRADIUS MySQL Servers servers will point to the same data, thereby giving you good speed, a single point of management, as well as great redundancy with the SAN. ### From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Mauricio Harley Sent: Thursday, August 16, 2012 3:15 PM To: FreeRadius users mailing list Subject: RES: New FreeRADIUS Deployment Ok, friends, Thank you very much for start discussing. Let's get that more objective. RADIUS Server: any CPU, 4 GB RAM, any disk space / any Linux Database Server: any CPU, RAM (???), disk space (???), MySQL / any Linux Additional: SAN to enable database cluster (any tip?) Am I right? What would be answers to the question marks? Kind regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner De: freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.orgmailto:freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org [mailto:freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org]mailto:[mailto:freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org] Em nome de Julson, Jim Enviada em: quinta-feira, 16 de agosto de 2012 17:53 Para: FreeRadius users mailing list Assunto: RE: New FreeRADIUS Deployment My message was truncated somehow... For point 1, I was going to just say, the more spindles for the hard drives the better, and a normal amount of RAM, like 4GB or so. You will have a decent amount of IOPS, especially if you go with MySQL. However, point 2 might take care of that. From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.orgmailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org]mailto:[mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Julson, Jim Sent: Thursday, August 16, 2012 2:24 PM To: FreeRadius users mailing list Subject: RE: New FreeRADIUS Deployment 1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? Anything standard and new will do the trick here. You don't need Pie in the sky, just make sure you have 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? Do you have a SAN that you could utilize? For performance, I'd suggest a MySQL Cluster running on something with quite a few spindles. The SAN provides great performance in that arena. Otherwise, you are looking at having to do a Master/Slave scenario for MySQL DB Replication 3. Any recommendations to the backup policy? Just your standard nightly full backups to disk, then to either tape, SAN or offsite storage of some kind. Best regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner The information contained in this e-mail message
RES: New FreeRADIUS Deployment
Ok, Jim, Thanks a lot. I guess it's quite clear for me now! Regars, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner De: freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org [mailto:freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org] Em nome de Julson, Jim Enviada em: quinta-feira, 16 de agosto de 2012 18:30 Para: FreeRadius users mailing list Assunto: RE: New FreeRADIUS Deployment ### Q: RADIUS Server: any CPU, 4 GB RAM, any disk space / any Linux A: A reasonable amount of Disk space, something like 30GB should be more than sufficient, particularly if your SAN is housing your databases. As for distro, I'm a fan of CentOS 6.2/6.3 or Ubuntu 12.04. I actually have both in production behind load balancers. ### ### Q: Database Server: any CPU, RAM (???), disk space (???), MySQL / any Linux A: This is just me, but I'd suggest running both MySQL and FreeRADIUS on the same servers if you can keep the actually data off of the server, and on a SAN. This is because in terms of processor, RAM, and Network IO, MySQL won't peg the system very hard at all. Of course, if budget is of no consequence, then of course separating out services is always fine. But I like to keep all my DB queries local where I can, especially for network intensive operations. This will have to be looked at and integrated into your environment based upon your current variables. There are just too many ways to go, and there is no 1 particulary right way. (Though some may disagree) To touch on this further though, RAM is cheap, and if you house them on the same servers, I'd probably make sure you had 6GB to dedicate to MySQL, and about 2-4GB to the OS. Getting 12GB of RAM on a system nowadays is nothing, so if you can, I'd do that. ### ### Q: Additional: SAN to enable database cluster (any tip?) A: If you have a SAN Available, it's pretty straight forward. You will create a volume, carve out a LUN, assign it to the Linux Servers, and then mount the partition to begin using it. Both of your FreeRADIUS MySQL Servers servers will point to the same data, thereby giving you good speed, a single point of management, as well as great redundancy with the SAN. ### From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Mauricio Harley Sent: Thursday, August 16, 2012 3:15 PM To: FreeRadius users mailing list Subject: RES: New FreeRADIUS Deployment Ok, friends, Thank you very much for start discussing. Let's get that more objective. RADIUS Server: any CPU, 4 GB RAM, any disk space / any Linux Database Server: any CPU, RAM (???), disk space (???), MySQL / any Linux Additional: SAN to enable database cluster (any tip?) Am I right? What would be answers to the question marks? Kind regards, Maurício Harley Suporte Técnico Cisco IP Phone: +55 (85) 3133-7910 Auriga Tecnologia Negócios Cisco SILVER Certified Partner IBM Business Partner De: freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org [mailto:freeradius-users-bounces+mauricio.brito=auriga.com...@lists.freeradius.org] Em nome de Julson, Jim Enviada em: quinta-feira, 16 de agosto de 2012 17:53 Para: FreeRadius users mailing list Assunto: RE: New FreeRADIUS Deployment My message was truncated somehow... For point 1, I was going to just say, the more spindles for the hard drives the better, and a normal amount of RAM, like 4GB or so. You will have a decent amount of IOPS, especially if you go with MySQL. However, point 2 might take care of that. From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Julson, Jim Sent: Thursday, August 16, 2012 2:24 PM To: FreeRadius users mailing list Subject: RE: New FreeRADIUS Deployment 1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? Anything standard and new will do the trick here. You don't need Pie in the sky, just make sure you have 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? Do you have a SAN that you could utilize? For performance, I'd suggest a MySQL Cluster running on something with quite a few spindles. The SAN provides great performance in that arena. Otherwise, you are looking at having to do a Master/Slave scenario for MySQL DB Replication 3. Any recommendations to the backup policy? Just your
Re: Deployment
tech.subscripti...@shepherdhill.biz wrote: I have done the gdb and valgrind dumps. They are on: http://www.leadservers.com/gdb-radiusd.log http://www.leadservers.com/valgrind-radiusd.log It looks like an issue that was fixed in 2.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deployment
tech.subscripti...@shepherdhill.biz wrote: I am trying to move to the production server after due tests. I installed version 2.1.6 on CentOS 5.2. Funnily I am getting Segmentation fault error when my hints file is to be loaded. The debug message is: ... Segmentation fault My Hints file gives error when this is inserted: DEFAULT User-Name =~ '^([...@]+)(@zmobile.com)?$', NAS-IP-Address == 10.76.100.69 User-Name := %{1} Alan DeKok wrote: Please see doc/bugs It's not a problem on any system I have access to. I have done the gdb and valgrind dumps. They are on: http://www.leadservers.com/gdb-radiusd.log http://www.leadservers.com/valgrind-radiusd.log Kindly assist. Cheers, Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deployment
Sir, I am trying to move to the production server after due tests. I installed version 2.1.6 on CentOS 5.2. Funnily I am getting Segmentation fault error when my hints file is to be loaded. The debug message is: server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /etc/raddb/huntgroups hints = /etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Segmentation fault My Hints file gives error when this is inserted: DEFAULT User-Name =~ '^([...@]+)(@zmobile.com)?$', NAS-IP-Address == 10.76.100.69 User-Name := %{1} Kindly assist. Cheers, Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deployment
tech.subscripti...@shepherdhill.biz wrote: I am trying to move to the production server after due tests. I installed version 2.1.6 on CentOS 5.2. Funnily I am getting Segmentation fault error when my hints file is to be loaded. The debug message is: ... Segmentation fault Please see doc/bugs My Hints file gives error when this is inserted: DEFAULT User-Name =~ '^([...@]+)(@zmobile.com)?$', NAS-IP-Address == 10.76.100.69 User-Name := %{1} It's not a problem on any system I have access to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius deployment
[EMAIL PROTECTED] wrote: Hi, I'm planning a FreeRadius deployment where the same machine will be running two FreeRADIUS instances, each one listening in different interfaces with different ip adresses. However, I had been looking in the documentation forthis possibility and found no information about it, so I don't know whether is possible or not. Has anyone try this? Use FreeRadius 2 , yo can instantiate two virtual servers and bind them to different ip addresses. I think that I wiil need to different radiusd with different radius.conf, users, db, accounting files, but I'm not really sure. So far I had been able to launch two radiusd using the -i and -p flags. Regards, Pablo Cuesta - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius deployment
Has anyone try this? Use FreeRadius 2 , yo can instantiate two virtual servers and bind them to different ip addresses. Downloading it right now. Thanks. Pablo Cuesta - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius deployment
Hi, I'm planning a FreeRadius deployment where the same machine will be running two FreeRADIUS instances, each one listening in different interfaces with different ip adresses. However, I had been looking in the documentation forthis possibility and found no information about it, so I don't know whether is possible or not. Has anyone try this? I think that I wiil need to different radiusd with different radius.conf, users, db, accounting files, but I'm not really sure. So far I had been able to launch two radiusd using the -i and -p flags. Regards, Pablo Cuesta - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius deployment
Me again. I feel pretty stupid now as the listen section was documented on the radiusd.conf file but i read over it.Anyway,I had checked the 1.1.7 i got installed and it has the listen section which seems to allow to use the same FreeRADIUS server to listen at different IPs and ports. However, would the radius listen to auth and acct packets or only to auth packets? I mean, ***start config** listen { ipaddr = IP1.IP1.IP1.IP1 port = PORT1 type = auth } listen { ipaddr = IP1.IP1.IP1.IP1 port = PORT1+1 type = acct } listen { ipaddr = IP2.IP2.IP2.IP2 port = PORT2 type = auth } listen { ipaddr = IP2.IP2.IP2.IP2 port = PORT2+1 type = acct } *end config*** Will work, listening to auth and acct packets? Anyway I will upgrade to version 2 but 1.1.7 is installed in our test machine right now. Thank you in advanced, Pablo Cuesta -Mensaje original- De: Cuesta Fernandez,P,Pablo,JPW32 R Enviado el: jueves, 07 de febrero de 2008 20:44 Para: '[EMAIL PROTECTED]'; 'FreeRadius users mailing list' Asunto: RE: FreeRadius deployment Has anyone try this? Use FreeRadius 2 , yo can instantiate two virtual servers and bind them to different ip addresses. Downloading it right now. Thanks. Pablo Cuesta - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
Matthias Cramer wrote: No, i unse 1.1.3 because this is the last version which seams not to have the sighup bug. seems. *NO* version of 1.x is safe under HUP. Maybe it's easier to reproduce in 1.1.4 and later. But 1.1.3 isn't safe, either. I've been doing some massive code changes in the code in CVS in order to enable HUP. I don't think it will be in 2.0, but maybe 2.0.1, or 2.1. Handling HUP correctly is *hard*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
Hi Mark Mark J Elkins wrote: Matthias Cramer wrote: What magic lines would I need to add to my Cisco and what magic to add to FreeRadius? Anyone have Dialup clients being issued IPv6 addresses yet? 1 - I expect to add some sort of IPv6 field to MySQL (ie - for a static IPv6 address or to signify the NAS to use a Dynamic address) 2 - I expect the authorize_check_query and other SQL queries to change a bit... ie return IPv6 data - without breaking IPv4 only NAS's 3 - I expect to add an IPv6 pool and other lines of magic to my Cisco. There's Framed-IPv6-prefix, where you can assign Ip's to a client. I do it with: cisco-avpair = ipv6:route#1=2001:dead:beef::/64 srclient/faces/jsp/trademark/sr300.jsp?language=desection=tmid=510320 I do not use dynamic allocation. Cheers Matthias Can I ask why? (why no dynamic). I don't even know if there is a way to do this Because all the people i serve IPv6 this way are ADSL Customers, who are allways online anyway, and like to be able to run a webserver or such. Why a /64 - and not /60 or /56 ?? (not even sure if thats possible) I do /64 and /48, but any sensible subnet is possible in my oppinion. Sorry about the questions - but very few people seem to be providing any sort of IPv6 access to dialup clients Some more.. Do you use FreeRadius 2.0 or something older. No, i unse 1.1.3 because this is the last version which seams not to have the sighup bug. In order to support IPv6 - what new fields did you add to your backend (database). I use a traditional users file Did you add any new cisco-avpair parts apart from an IPv6 Route ... No which kind of seems strange to me - should you not have added a Prefix (ipv6:prefix#1) instead ? .. which adds an entry to the RIB table anyway? What did you have to add to the Cisco for user access? interface Virtual-Template1 mtu 1492 ip unnumbered Loopback0 no ip redirects no ip proxy-arp ip tcp adjust-mss 1452 ipv6 enable qos pre-classify peer default ip address pool ADSLPool1 ppp mtu adaptive ppp authentication chap pap callin ADSL ppp authorization ADSL Are many (any?) people using IPv6? Not that many .. we have abut 5-10 Customers using IPv6 What did they have to do on their end to get an address? Have a IPv6 Capable router... Which is a Cisco, Linux, *BSD Router. Probably it will also work with MacOSX or Vista doing PPP or PPPoE depending on what service you provice. I promise that I'll one day update the wiki with this sort of info.. That sounds nice. Best regards and greetings to South Africa Matthias -- Matthias CramerSystem Network Manager Interway Communication GmbHPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zuerichhttp://www.interway.ch/ signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPv6 deployment howto
Hi, I'm looking for some assistance on deploying IPv6. I'm currently using FreeRADIUS Version 1.1.6. I have for testing a Cisco 3640 running C3640-IK9S-M. The cisco has properly routable IPv6 addresses on its Ethernet and Loopback. I currently allow clients to dial to this device using the E1 (ISDN-PRI) and with 30 mica modems. Currently - I issue IPv4 addresses to clients and all is working well. I run MySQL as the admin backend to FreeRadius - ie thats where my clients info is stored. Usually - a client will be given a dynamic IPv4 address from a local pool of addresses configured on the Cisco... some (very few - but importaint) clients have static addresses (ie - for pre-defined holes in their company firewalls - etc). I'd like to also be able to provide dialup clients with IPv6 addresses - in addition to any IPv4 address. I think that I'd like to have a pool of IPv6 addresses on the cisco and to be able to provide clients with a /64 block (might look at a /60 or /56 one day). To do this in IPv4 - I send 255.255.255.254 to the NAS/Cisco. So whats the IPv6 equivalent? I expect to stay with FreeRADIUS Version 1.1.6 for now and understand that packets between the NAS and Radius will be via IPv4. Thats fine - though one day I think I expect to see FreeRadius listening on both IPv4 and IPv6 at the same time. The WIKI has little to say on IPv6 - except that IPv6 support is better on FreeRadius2.0 - but IPv6 attributes can be supplied from pre-2.0 versions of freeRadius. So - can anyone help me please? What magic lines would I need to add to my Cisco and what magic to add to FreeRadius? Anyone have Dialup clients being issued IPv6 addresses yet? 1 - I expect to add some sort of IPv6 field to MySQL (ie - for a static IPv6 address or to signify the NAS to use a Dynamic address) 2 - I expect the authorize_check_query and other SQL queries to change a bit... ie return IPv6 data - without breaking IPv4 only NAS's 3 - I expect to add an IPv6 pool and other lines of magic to my Cisco. just need a little help...? Someone must have done this already! -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
Mark J Elkins wrote: I'm looking for some assistance on deploying IPv6. I'm currently using FreeRADIUS Version 1.1.6. I have for testing a Cisco 3640 running C3640-IK9S-M. The cisco has properly routable IPv6 addresses on its Ethernet and Loopback. Version 1.1.6 doesn't support IPv6. I think that I'd like to have a pool of IPv6 addresses on the cisco and to be able to provide clients with a /64 block (might look at a /60 or /56 one day). To do this in IPv4 - I send 255.255.255.254 to the NAS/Cisco. So whats the IPv6 equivalent? I don't think there is one. See the Cisco documentation for more. Address allocation in IPv6 is very different from IPv4. I expect to stay with FreeRADIUS Version 1.1.6 for now and understand that packets between the NAS and Radius will be via IPv4. Thats fine - though one day I think I expect to see FreeRadius listening on both IPv4 and IPv6 at the same time. Version 2.0 will support IPv6. What magic lines would I need to add to my Cisco and what magic to add to FreeRadius? Anyone have Dialup clients being issued IPv6 addresses yet? 1 - I expect to add some sort of IPv6 field to MySQL (ie - for a static IPv6 address or to signify the NAS to use a Dynamic address) 2 - I expect the authorize_check_query and other SQL queries to change a bit... ie return IPv6 data - without breaking IPv4 only NAS's 3 - I expect to add an IPv6 pool and other lines of magic to my Cisco. There's Framed-IPv6-prefix, where you can assign Ip's to a client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
What magic lines would I need to add to my Cisco and what magic to add to FreeRadius? Anyone have Dialup clients being issued IPv6 addresses yet? 1 - I expect to add some sort of IPv6 field to MySQL (ie - for a static IPv6 address or to signify the NAS to use a Dynamic address) 2 - I expect the authorize_check_query and other SQL queries to change a bit... ie return IPv6 data - without breaking IPv4 only NAS's 3 - I expect to add an IPv6 pool and other lines of magic to my Cisco. There's Framed-IPv6-prefix, where you can assign Ip's to a client. I do it with: cisco-avpair = ipv6:route#1=2001:dead:beef::/64 I do not use dynamic allocation. Cheers Matthias -- Matthias Cramer / mc322-ripe System Network Manager Interway Communication GmbHPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zürich http://www.interway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
Alan DeKok wrote: Mark J Elkins wrote: I'm looking for some assistance on deploying IPv6. I'm currently using FreeRADIUS Version 1.1.6. I have for testing a Cisco 3640 running C3640-IK9S-M. The cisco has properly routable IPv6 addresses on its Ethernet and Loopback. Version 1.1.6 doesn't support IPv6. From the Wiki... http://wiki.freeradius.org/index.php/FAQ#Does_FreeRADIUS_Support_IPv6.3F FreeRADIUS 1.1.x does not particularly care if the host it runs on is dual-stack. It will work just fine, but only use the IPv4 stack of the machine. It will also transport IPv6 RADIUS attributes just fine but will NOT send packets over IPv6. My reading of this is that I can use FreeRADIUS 1.1.6 to store and transport IPv6 Radius attributes so I can use 1.1.6 ??? I think that I'd like to have a pool of IPv6 addresses on the cisco and to be able to provide clients with a /64 block (might look at a /60 or /56 one day). To do this in IPv4 - I send 255.255.255.254 to the NAS/Cisco. So whats the IPv6 equivalent? I don't think there is one. See the Cisco documentation for more. I guess you have no pointers as to exactly where..? I've already been reading Cisco stuff for hours... Address allocation in IPv6 is very different from IPv4. I expect to stay with FreeRADIUS Version 1.1.6 for now and understand that packets between the NAS and Radius will be via IPv4. Thats fine - though one day I think I expect to see FreeRadius listening on both IPv4 and IPv6 at the same time. Version 2.0 will support IPv6. What magic lines would I need to add to my Cisco and what magic to add to FreeRadius? Anyone have Dialup clients being issued IPv6 addresses yet? 1 - I expect to add some sort of IPv6 field to MySQL (ie - for a static IPv6 address or to signify the NAS to use a Dynamic address) 2 - I expect the authorize_check_query and other SQL queries to change a bit... ie return IPv6 data - without breaking IPv4 only NAS's 3 - I expect to add an IPv6 pool and other lines of magic to my Cisco. There's Framed-IPv6-prefix, where you can assign Ip's to a client. I think this is for static allocations only. From my limited experience, rfc3162 seems to suggest using Login-IPv6-Host as a trigger? Login-IPv6-Host=0 - use an address from the local pool, Login-IPv6-Host=all 'F' - use the address that the user wants Anything else - the address to assign. No idea if this is implemented though... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
Mark J Elkins wrote: My reading of this is that I can use FreeRADIUS 1.1.6 to store and transport IPv6 Radius attributes so I can use 1.1.6 ??? Yes. There's Framed-IPv6-prefix, where you can assign Ip's to a client. I think this is for static allocations only. I don't know what you mean by that. The Access-Accept can contain an IPv6 prefix. The prefix is valid only for as long as the session is active. It is NOT a permanently allocated static IP. From my limited experience, rfc3162 seems to suggest using Login-IPv6-Host as a trigger? No. This is for connecting the user to a machine. It is not for assigning an IP address to a machine. See Login-Service, and Login-TCP-Port. The Login-* attributes are about connecting a dial-in user directly to an ip/port pair. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Short Deployment Platform Questionaire
Hi Guys In order to bring our documentation up to date, can everyone please take a few seconds to report to me (either privately or to the list) what deployment platform(s) you are running FreeRADIUS on. In particular I am looking for non Linux/x86 information. The more information you can give me the better, but everything helps. I would like to know answers to the following questions (In order of importance) * What Operating System and Version are you running FreeRADIUS on? * What architecture are you running on (x86, x86_64, Sparc, IA64, PPC etc)? * What version of FreeRADIUS do you have in production? * Approximately how many AAA users do you have? * Did you install a vendor package, downloaded package, selfbuilt package or source install? * If you built FreeRADIUS yourself, please list any special installation/compilation steps you needed to take to make it work on your platform. Thanks in Advance from the FreeRADIUS Development Team -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpZP28RuS6Ok.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Short Deployment Platform Questionaire
Zitat von Peter Nixon [EMAIL PROTECTED]: Hi Guys In order to bring our documentation up to date, can everyone please take a few seconds to report to me (either privately or to the list) what deployment platform(s) you are running FreeRADIUS on. In particular I am looking for non Linux/x86 information. The more information you can give me the better, but everything helps. I would like to know answers to the following questions (In order of importance) * What Operating System and Version are you running FreeRADIUS on? Debian Sarge 3.1 (in use) SuSE Linux Enterprise Server 9 (updated by SLES 10, see below) SuSE Linux Enterprise Server 10 OpenSuSE 10.0 (just for testing) Mac OS X 10.4.7 (_not_ Server, for testing only) * What architecture are you running on (x86, x86_64, Sparc, IA64, PPC etc)? x86 (in use, all Linux systems) PPC (Mac OS X) * What version of FreeRADIUS do you have in production? 1.1.3 (all updated lately) * Approximately how many AAA users do you have? ~ 900 users (in use, currently in LDAP) ~ 1200 devices (mac authentication, planned, still testing ...) * Did you install a vendor package, downloaded package, selfbuilt package or source install? Debian: selfbuilt package SuSE: selfbuilt package Mac OS X 10.4.7 (not server!): source install * If you built FreeRADIUS yourself, please list any special installation/compilation steps you needed to take to make it work on your platform. Debian and SuSE: worked out of the box Mac OS X 10.4.7 (not server!): the ./configure script adds a line INSTALLSTRIP = -s in Make.inc which produces errors (as reported: Symbol not found: _debug_flag). Remove the -s option solves the problem, another solution is running ./configure --enable-developer. so the following works: # ./configure --enable-developer # make # sudo make install maybe important: i did not build any of the following modules due to missing libraries (did it just for testing and contriubution, its not a productive system; maybe next year ...): any sql-module, unixodbc, rlm_counter, rlm_ippool Thanks in Advance from the FreeRADIUS Development Team thanks in return to all developers for their great work and assistance! markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Sorry, what I'm trying to ask is: Most secure way to create a unix login whose sole function is to execute adduser to add users to the /etc/passwd file. I'm running openbsd. Hmmm... as I finish writing this question it looks like this is rather off topic. Anyhows any ideas welcome. Thanks Dustin Doris wrote: Dustin any input on this one? Maqbool Hashim wrote: Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. We have something similar to this in our network. Users can telnet into the box and they don't get a shell, but instead are given some kind of menu. Its been years since I've looked at it, but I'll see if I can track down if we still have it and see if I can find anything about it. Maybe I can send you a partial copy of the code, or at least how it was built and with what tools. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. Dustin Doris wrote: On Wed, 13 Apr 2005, Maqbool Hashim wrote: True. Just coming back to your earlier mail: Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. The problem I can see with this is a PHP vulnerability would mean access to the backend. Basically putting the backend on the LAN doesn't really give us extra security, because the frontend will have full access to the Users table. The only extra security is if you're using ldap then you don't need to hardcode a master username/password into the webserver. So, in theory if someone hacked your webserver via php vulnerability or whatever else, they still wouldn't have any way to do any damage to your ldap directory or even view it. If you were to use mysql, then you'd need to hardcode some user that has write access to the whole database into your front-end. They get your webserver, they've now got your db. Same with berkely db. You might have to run the berkely db and radius servers on the same machine as the webserver. Or run some kind of ssh script to access the remote server and modify the db. I don't know if you can modify a berkely db remotely. Same problem, you'll have some kind of ssh key that will get them in or they'll have local access to it. Of course, if you use ldap, someone gets into your webserver and you then have an ssh exploit on your ldap directory you're out of luck again. But that's the engineers fault for not keeping it up to date. You could always try to firewall the public website to only allow your IP space into it. That way if someone does mess it up, you can track it back to that person and kick their ass. :) hehe. I guess we've got to have a weak link somewhere huh? Unfortunately. Anytime something has to be publicly available, there is bound to be a hole somewhere. Dustin Doris wrote: dbm would be very fast and simple. I've never used it directly though, so I can't provide any help. Openldap does use berkerly db as the backend db for datastorage, so you are really just taking off a layer and making it much simpler. Mysql even offers a berkely db backend. You will need to build some sort of front-end with access to write to that db though. This will get you back to the security issue before as you'll have to have the logic of who can change what built into the front-end. You'll also have to write that front-end so it knows how to write correctly to the db. If you can do it, it should be real fast. Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place.
Re: deployment question
Dustin any input on this one? Maqbool Hashim wrote: Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. Dustin Doris wrote: On Wed, 13 Apr 2005, Maqbool Hashim wrote: True. Just coming back to your earlier mail: Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. The problem I can see with this is a PHP vulnerability would mean access to the backend. Basically putting the backend on the LAN doesn't really give us extra security, because the frontend will have full access to the Users table. The only extra security is if you're using ldap then you don't need to hardcode a master username/password into the webserver. So, in theory if someone hacked your webserver via php vulnerability or whatever else, they still wouldn't have any way to do any damage to your ldap directory or even view it. If you were to use mysql, then you'd need to hardcode some user that has write access to the whole database into your front-end. They get your webserver, they've now got your db. Same with berkely db. You might have to run the berkely db and radius servers on the same machine as the webserver. Or run some kind of ssh script to access the remote server and modify the db. I don't know if you can modify a berkely db remotely. Same problem, you'll have some kind of ssh key that will get them in or they'll have local access to it. Of course, if you use ldap, someone gets into your webserver and you then have an ssh exploit on your ldap directory you're out of luck again. But that's the engineers fault for not keeping it up to date. You could always try to firewall the public website to only allow your IP space into it. That way if someone does mess it up, you can track it back to that person and kick their ass. :) hehe. I guess we've got to have a weak link somewhere huh? Unfortunately. Anytime something has to be publicly available, there is bound to be a hole somewhere. Dustin Doris wrote: dbm would be very fast and simple. I've never used it directly though, so I can't provide any help. Openldap does use berkerly db as the backend db for datastorage, so you are really just taking off a layer and making it much simpler. Mysql even offers a berkely db backend. You will need to build some sort of front-end with access to write to that db though. This will get you back to the security issue before as you'll have to have the logic of who can change what built into the front-end. You'll also have to write that front-end so it knows how to write correctly to the db. If you can do it, it should be real fast. Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide
Re: deployment question
Dustin any input on this one? Maqbool Hashim wrote: Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. We have something similar to this in our network. Users can telnet into the box and they don't get a shell, but instead are given some kind of menu. Its been years since I've looked at it, but I'll see if I can track down if we still have it and see if I can find anything about it. Maybe I can send you a partial copy of the code, or at least how it was built and with what tools. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
deployment question
Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: deployment question
However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: deployment question
Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: deployment question
See previous answer :P A php or perl frontend to pull JUST that users record. Have them authenticate FIRST via the current password, then update the record that contains that username. Make sense? I don't see a need for them to view the whole table if you use a method such as this. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:22 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
That makes sense. So effectively the php program has a login for the database. The user has a login for the php frontend. What the user sees depends on the credentials he supplies to the php frontend. Therefore the security rests with the php frontend. Right? Miles Mawyer wrote: See previous answer :P A php or perl frontend to pull JUST that users record. Have them authenticate FIRST via the current password, then update the record that contains that username. Make sense? I don't see a need for them to view the whole table if you use a method such as this. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:22 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: deployment question
Right. The user has a login for the php frontend. The frontend would simply use the info from the user table. Username / old password / new password supplied via webform for example, php connect to mysql, and looks for a matching record in the user table for username / old password, compares, voila! ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:47 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question That makes sense. So effectively the php program has a login for the database. The user has a login for the php frontend. What the user sees depends on the credentials he supplies to the php frontend. Therefore the security rests with the php frontend. Right? Miles Mawyer wrote: See previous answer :P A php or perl frontend to pull JUST that users record. Have them authenticate FIRST via the current password, then update the record that contains that username. Make sense? I don't see a need for them to view the whole table if you use a method such as this. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:22 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http
Re: deployment question
I'm with you. Thank you kindly. Now sorry to keep going on about this but. Can you think of an alternative to mysql? Something like a command line password change tool which accesses the users database. I'm just trying to find a way of acheiving this without having to install apache and mysql. More features, more complexity, harder to secure. Miles Mawyer wrote: Right. The user has a login for the php frontend. The frontend would simply use the info from the user table. Username / old password / new password supplied via webform for example, php connect to mysql, and looks for a matching record in the user table for username / old password, compares, voila! ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:47 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question That makes sense. So effectively the php program has a login for the database. The user has a login for the php frontend. What the user sees depends on the credentials he supplies to the php frontend. Therefore the security rests with the php frontend. Right? Miles Mawyer wrote: See previous answer :P A php or perl frontend to pull JUST that users record. Have them authenticate FIRST via the current password, then update the record that contains that username. Make sense? I don't see a need for them to view the whole table if you use a method such as this. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:22 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question sorry I'm not being clear here. When I meant was, if all users are contained in the same table, how can I allow a user to change just the row which corresponds to their username without revealing the rest of the table? Miles Mawyer wrote: Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Well, I suppose that depends on what you mean by give them access. Are you you talking direct access via mysql command line or phpmyadmin? I don't know your specifics BUT, it sounds to me like a job for a php front end of some sort. That would certainly make that a moot point. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: deployment question Thanks, I'm just thinking that mysql is a big and complex program which offers a lot of features. Our requirements are quite specific. I'm not saying I'm ruling out using mysql, just would like to hear whether there are any alternatives. Also, I notice that the mysql schema has a a users table. Isn't it going to be difficult to give a single user access to change their password while hiding other users passwords? Miles Mawyer wrote: However my concern is that MYSQL is a little bloated and would prefer to Bloated? How so? How many users are we talking about here? Sounds like a decent task for MySQL to me :) If you are worried about database size etc. I'd do a shell script or something to throw in X number of dummy users and see what you end up with. ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maqbool Hashim Sent: Wednesday, April 13, 2005 8:57 AM To: freeradius-users@lists.freeradius.org Subject: deployment question Hi there, After some trouble I have managed to get freeradius to compile on openbsd! Now I have a question about the backend database to use with freeradius. Requirements: 1) Users can access the database and change their own password. 2) Users cannot see or change any other users passwords. 3) The database we use is as small and cut down as possible while including the above two features. I have thought about using MYSQL and table priveleges to acheive this. However my concern is that MYSQL is a little bloated and would prefer to acheive the above using the most cut down db I can. By the way this configuration has only one realm. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See
Re: deployment question
Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place. Don't want apache? Then build a commandline tool users can use that does the same thing. You can write a shell wrapper over the ldapmodify client that comes with openldap. Then again if you are allowing users local access to a machine in the first place, that is less secure than building a webserver. You want a command line tool for clients to use on their own computer? That is starting to get hard to support now. I would stay away from that. If you're not hardcoding any superuser username/password in the webserver, then you know that users can't obtain that information and do anything to the ldap directory. Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. That way the ldap traffic is only going through over private network. More complex, yes, but its not too bad. Less secure? Anytime you want to add functionality, such as password changes, you will open security. But this setup should be pretty secure. On Wed, 13 Apr 2005, Maqbool Hashim wrote: I'm with you. Thank you kindly. Now sorry to keep going on about this but. Can you think of an alternative to mysql? Something like a command line password change tool which accesses the users database. I'm just trying to find a way of acheiving this without having to install apache and mysql. More features, more complexity, harder to secure. Miles Mawyer wrote: Right. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place. Don't want apache? Then build a commandline tool users can use that does the same thing. You can write a shell wrapper over the ldapmodify client that comes with openldap. Then again if you are allowing users local access to a machine in the first place, that is less secure than building a webserver. You want a command line tool for clients to use on their own computer? That is starting to get hard to support now. I would stay away from that. If you're not hardcoding any superuser username/password in the webserver, then you know that users can't obtain that information and do anything to the ldap directory. Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. That way the ldap traffic is only going through over private network. More complex, yes, but its not too bad. Less secure? Anytime you want to add functionality, such as password changes, you will open security. But this setup should be pretty secure. On Wed, 13 Apr 2005, Maqbool Hashim wrote: I'm with you. Thank you kindly. Now sorry to keep going on about this but. Can you think of an alternative to mysql? Something like a command line password change tool which accesses the users database. I'm just trying to find a way of acheiving this without having to install apache and mysql. More features, more complexity, harder to secure. Miles Mawyer wrote: Right. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
dbm would be very fast and simple. I've never used it directly though, so I can't provide any help. Openldap does use berkerly db as the backend db for datastorage, so you are really just taking off a layer and making it much simpler. Mysql even offers a berkely db backend. You will need to build some sort of front-end with access to write to that db though. This will get you back to the security issue before as you'll have to have the logic of who can change what built into the front-end. You'll also have to write that front-end so it knows how to write correctly to the db. If you can do it, it should be real fast. Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place. Don't want apache? Then build a commandline tool users can use that does the same thing. You can write a shell wrapper over the ldapmodify client that comes with openldap. Then again if you are allowing users local access to a machine in the first place, that is less secure than building a webserver. You want a command line tool for clients to use on their own computer? That is starting to get hard to support now. I would stay away from that. If you're not hardcoding any superuser username/password in the webserver, then you know that users can't obtain that information and do anything to the ldap directory. Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. That way the ldap traffic is only going through over private network. More complex, yes, but its not too bad. Less secure? Anytime you want to add functionality, such as password changes, you will open security. But this setup should be pretty secure. On Wed, 13 Apr 2005, Maqbool Hashim wrote: I'm with you. Thank you kindly. Now sorry to keep going on about this but. Can you think of an alternative to mysql? Something like a command line password change tool which accesses the users database. I'm just trying to find a way of acheiving this without having to install apache and mysql. More features, more complexity, harder to secure. Miles Mawyer wrote: Right. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
On Wed, 13 Apr 2005, Maqbool Hashim wrote: True. Just coming back to your earlier mail: Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. The problem I can see with this is a PHP vulnerability would mean access to the backend. Basically putting the backend on the LAN doesn't really give us extra security, because the frontend will have full access to the Users table. The only extra security is if you're using ldap then you don't need to hardcode a master username/password into the webserver. So, in theory if someone hacked your webserver via php vulnerability or whatever else, they still wouldn't have any way to do any damage to your ldap directory or even view it. If you were to use mysql, then you'd need to hardcode some user that has write access to the whole database into your front-end. They get your webserver, they've now got your db. Same with berkely db. You might have to run the berkely db and radius servers on the same machine as the webserver. Or run some kind of ssh script to access the remote server and modify the db. I don't know if you can modify a berkely db remotely. Same problem, you'll have some kind of ssh key that will get them in or they'll have local access to it. Of course, if you use ldap, someone gets into your webserver and you then have an ssh exploit on your ldap directory you're out of luck again. But that's the engineers fault for not keeping it up to date. You could always try to firewall the public website to only allow your IP space into it. That way if someone does mess it up, you can track it back to that person and kick their ass. :) hehe. I guess we've got to have a weak link somewhere huh? Unfortunately. Anytime something has to be publicly available, there is bound to be a hole somewhere. Dustin Doris wrote: dbm would be very fast and simple. I've never used it directly though, so I can't provide any help. Openldap does use berkerly db as the backend db for datastorage, so you are really just taking off a layer and making it much simpler. Mysql even offers a berkely db backend. You will need to build some sort of front-end with access to write to that db though. This will get you back to the security issue before as you'll have to have the logic of who can change what built into the front-end. You'll also have to write that front-end so it knows how to write correctly to the db. If you can do it, it should be real fast. Thats very helpful thank you. I was actually thinking of something similar except using mysql, but obviously ldap would be better as it directly provides that feature. However I was just reading some of the rlm_dbm file and it seems like the ideal backend for us, as it doesn't require any addtional server software, fast etc. However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file. Any ideas? Dustin Doris wrote: Ldap will provide that feature for you. An openldap acl might look like this. access to attr=userPassword by self write by anonymous auth by * none access to dn.one=ou=useraccounts,dc=yourdomain,dc=com by self write by dn=cn=freeradius,dc=yourdomain,dc=com read by anonymous auth by * none That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl. You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place. Don't want apache? Then build a commandline tool users can use that does the same thing. You can write a shell wrapper over the ldapmodify client that comes with openldap. Then again if you are allowing users local access to a machine in the first place, that is less secure than building a webserver. You want a command line tool for clients to use on their own computer? That is starting to get hard to support now. I would stay away from that. If you're not hardcoding any superuser username/password in the webserver, then you know that users can't obtain that information and do anything to the ldap directory. Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. That way the ldap traffic is only going
Re: Radius deployment question
Great, thanks to everyone who made suggestions, I'm going to go ahead and implement according to Alan's suggestion because of the amount of seperation that it gives and it seems the best way of acheiving this. One other point, if we are using a an sql backend then the radiusd process would never have to be restarted as well right? Alan DeKok wrote: The benefit with this approach is that no matter what the customer does to the database, it's *impossible* for them to affect any other customer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Hi, Do you mean I could seperate users from different realms into different database tables? Is this what it means my using schemas? So rather than have one users table, I can have many different tables with users from different realms? And allow customers access to only the user table which apply to their firewall? Dana Hudes wrote: at the database level you can create a database user and GRANT them rights on the users table. That would, howeer, allow them to mess with users of other external customrs. If you tag vpn users so you can identify to whom the user belongs, you can use an application which authenticates the customer and allows control only over custoers tagged appreioately. Anohter possibilty I suppose would be a per-customer schema over whcih ty have rights but otherc customer's users are in their own respetive schemas and unafected. this would irequire ajdustments on the user auth side, you'd need to add explicit schema support. On Wed, 25 Aug 2004, Maqbool Hashim wrote: I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. We manage many firewalls for different customers. VPN users on the firewalls can be authenticated via our Freeradius server. So when another VPN needs to be setup on the firewall, we add a user into the users file or the SQL table. Is it possible to for us to allow customers to be able to add users to the SQL table, without these users being authenticated for all of the other customers firewalls? So we want customer A to be able to add users which are to be authenticated on Firewall A without, these users being able to be authenticated on Firewalls B, C and D. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? Has anyone got a similar setup or know how this can be achieved? Regards Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Alan DeKok wrote: You would be better of having the customers manage their own RADIUS servers, and having you just proxy to those servers. If the customers don't want to manage their own servers, you can still have a server locally, per-customer. That way, you can give each customer limited access to the SQL database, and be guaranteed that they can't affect other customers. Ok so the way this would work is to have an instance of the radiusd program running for every customer. Just point it at the right configuration files for the customer and bind it to a different port for each customer.Then give the customer access to the users table in the correct SQL database for their radius server. Put a proxying server in front of these other servers, and proxy based on realms. Then stick a proxying server on the normal radius port and proxy based on realms. Is this how it would work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
a schema is a set of tables within a database. you can have identical table structure and names in each schema. you would need to fully specify the tables when referring to them. not 'users' , which is really 'public.users' , but for customer foo you could have 'foo.users' and customer baz 'baz.users'. the customer each have rights in their respective schema. the code doesnt work that way right now On Thu, 26 Aug 2004, Maqbool Hashim wrote: Hi, Do you mean I could seperate users from different realms into different database tables? Is this what it means my using schemas? So rather than have one users table, I can have many different tables with users from different realms? And allow customers access to only the user table which apply to their firewall? Dana Hudes wrote: at the database level you can create a database user and GRANT them rights on the users table. That would, howeer, allow them to mess with users of other external customrs. If you tag vpn users so you can identify to whom the user belongs, you can use an application which authenticates the customer and allows control only over custoers tagged appreioately. Anohter possibilty I suppose would be a per-customer schema over whcih ty have rights but otherc customer's users are in their own respetive schemas and unafected. this would irequire ajdustments on the user auth side, you'd need to add explicit schema support. On Wed, 25 Aug 2004, Maqbool Hashim wrote: I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. We manage many firewalls for different customers. VPN users on the firewalls can be authenticated via our Freeradius server. So when another VPN needs to be setup on the firewall, we add a user into the users file or the SQL table. Is it possible to for us to allow customers to be able to add users to the SQL table, without these users being authenticated for all of the other customers firewalls? So we want customer A to be able to add users which are to be authenticated on Firewall A without, these users being able to be authenticated on Firewalls B, C and D. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? Has anyone got a similar setup or know how this can be achieved? Regards Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Maqbool Hashim [EMAIL PROTECTED] wrote: Ok so the way this would work is to have an instance of the radiusd program running for every customer. Just point it at the right configuration files for the customer and bind it to a different port for each customer.Then give the customer access to the users table in the correct SQL database for their radius server. Yes. Then stick a proxying server on the normal radius port and proxy based on realms. Is this how it would work? Yes. The benefit with this approach is that no matter what the customer does to the database, it's *impossible* for them to affect any other customer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius deployment question
I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. We manage many firewalls for different customers. VPN users on the firewalls can be authenticated via our Freeradius server. So when another VPN needs to be setup on the firewall, we add a user into the users file or the SQL table. Is it possible to for us to allow customers to be able to add users to the SQL table, without these users being authenticated for all of the other customers firewalls? So we want customer A to be able to add users which are to be authenticated on Firewall A without, these users being able to be authenticated on Firewalls B, C and D. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? Has anyone got a similar setup or know how this can be achieved? Regards Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Maqbool Hashim [EMAIL PROTECTED] wrote: I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. Yes, but it's probably a bad idea. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? You would be better of having the customers manage their own RADIUS servers, and having you just proxy to those servers. If the customers don't want to manage their own servers, you can still have a server locally, per-customer. That way, you can give each customer limited access to the SQL database, and be guaranteed that they can't affect other customers. Put a proxying server in front of these other servers, and proxy based on realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
at the database level you can create a database user and GRANT them rights on the users table. That would, howeer, allow them to mess with users of other external customrs. If you tag vpn users so you can identify to whom the user belongs, you can use an application which authenticates the customer and allows control only over custoers tagged appreioately. Anohter possibilty I suppose would be a per-customer schema over whcih ty have rights but otherc customer's users are in their own respetive schemas and unafected. this would irequire ajdustments on the user auth side, you'd need to add explicit schema support. On Wed, 25 Aug 2004, Maqbool Hashim wrote: I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. We manage many firewalls for different customers. VPN users on the firewalls can be authenticated via our Freeradius server. So when another VPN needs to be setup on the firewall, we add a user into the users file or the SQL table. Is it possible to for us to allow customers to be able to add users to the SQL table, without these users being authenticated for all of the other customers firewalls? So we want customer A to be able to add users which are to be authenticated on Firewall A without, these users being able to be authenticated on Firewalls B, C and D. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? Has anyone got a similar setup or know how this can be achieved? Regards Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html