RE: Multiple Locations and configuring 2 different methods of Access
James, What gateway are you using? Do you want to allow authentication on some sites and other sites to be free? If so you can just set the free sites up do not perform authentication and just allow users access . Regards Jaco van Tonder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Sent: 19 April 2006 09:43 PM To: FreeRadius users mailing list Subject: Re: Multiple Locations and configuring 2 different methods of Access we are sterring away from the original question here. if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself? The short answer is to read the documentation for the gateway software. If it says that the gateway can do this, AND it can be configured through RADIUS, then it SHOULD say which RADIUS attribute, and what value to use. That's exactly the part that I cannot find an answer to Alan, that's why I posted here to see if anyone has anything related to this. That's all the help I will be needing from you , Thank you for your time. now lets keep in mind that there are multiple locations here and therefor are multiple gateways, all I want to know is of there is a way to allow just some of the gateways, not all, to give access without username/password authentication. Now you're disagreeing with yourself again. This confuses the issue, and makes it difficult for anyone to solve the problem, because you keep changing the story about what the problem is. a) people ALWAYS use RADIUS to authenticate before they get on the net. b) people ALWAYS get a pretty web portal before they access the net c) people SOMEHOW get past the web portal to get real net access You want to change (b) so that SOME people get a web portal, sometimes. The paragraph I quoted above says you want to change requirement (a). Which is it? I don't think you're clear on what you're trying to do. Or, you're not describing it in a consistent and clear way. I do admit, I could not make it clear enough for you to understand, but no worries, I gave it a shot anyways. Once again, I do thank you for your time Alan. If there is someone else besides Alan out there who is trying to achieve the same thing, I would love to hear from them. Thank you all and thank you Alan. James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
On Wed, 2006-04-19 at 15:10 -0400, Alan DeKok wrote: a) people ALWAYS use RADIUS to authenticate before they get on the net. b) people ALWAYS get a pretty web portal before they access the net c) people SOMEHOW get past the web portal to get real net access Reading between the lines on the original problem a) is the normal situation for a valid user b) would occur when the user is currently not authorised, due to perhaps not paying their bill c) is acheived by paying the bill via the portal, which updates Radius to then allow that user. Then the user MUST disconnect reconnect to setup a new session (this is normally due to the NAS or BRAS limitations) Stuart === Homechoice is a trading name of Video Networks Limited of 205 Holland Park Avenue, London W11 4XB and registered in England and Wales (No. 2740910). This email may contain confidential and privileged information and is intended for the named or authorised recipients only. If you are not the named or authorised recipient of this email, please note that any copying, distribution, disclosure or use of its contents is strictly prohibited. If you have received this email in error please notify the sender immediately and then destroy it. The views expressed in this email are not necessarily those held by Video Networks Limited and we do not accept any liability for any action taken in reliance on the contents of this message. We do not guarantee that the integrity of this email has been maintained, nor that it is free of viruses, interceptions or interference. ___ This email has been scanned for all known viruses by the MessageLabs Email Security System. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
Hello, I am running freeradius 1.0.5 on FC4 i386 My end-users right now are getting authenticated by the login-based mysql radcheck table from freeradius and they are coming from multiple locations through a web-based portal redirected by their gateway. My question is, if there is a way to setup freeradius for example: to allow for 3 locations to login through the login based authentication (the way it is setup right now) and at the same time grant 2 other locations access without the need of using login based authentication, I now there is an option to allow access without authentication, but to my understanding this is global for all locations, I am looking for a way to allow access without athentication for a specific location and at the same time not interfere with the locations that are using login-based authentication. Is this possible? If so, where can I get more documentation on this topic and where can I see an actual configuration example of this type of setup? If this is not possible out of the box, where can I get documentation on a work around or similar solutions? Thank you in advance for all your help, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
James [EMAIL PROTECTED] wrote: My end-users right now are getting authenticated by the login-based mysql radcheck table from freeradius and they are coming from multiple locations through a web-based portal redirected by their gateway. They're being authenticated by the web portal? My question is, if there is a way to setup freeradius for example: to allow for 3 locations to login through the login based authentication (the way it is setup right now) and at the same time grant 2 other locations access without the need of using login based authentication, So you're asking that some people get forced to use the web portal, and others bypass it? This isn't a RADIUS problem. You're asking that some people (you don't say how you determine that) bypass authentication... which means bypassing RADIUS. I don't see how RADIUS can tell people who don't use RADIUS that they don't need to use RADIUS. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
James [EMAIL PROTECTED] wrote: My end-users right now are getting authenticated by the login-based mysql radcheck table from freeradius and they are coming from multiple locations through a web-based portal redirected by their gateway. They're being authenticated by the web portal? The connection is setup like this: 1. Laptop - AP - Gateway - RADIUS DSL Modem 2. The Gateway redirects clients to a custom web portal on the web. 3. when a client creates an account on the web portal, the web portal has a custom login form for the gateway. 4. when the click on submit on the custom login form , it POST's to the gateway and the gateway communicates back to the RADIUS and them gives them access. My question is, if there is a way to setup freeradius for example: to allow for 3 locations to login through the login based authentication (the way it is setup right now) and at the same time grant 2 other locations access without the need of using login based authentication, So you're asking that some people get forced to use the web portal, and others bypass it? Right now, people are already going through the web portal or are already "forced to use the web portal" to get authenticated. so what I am asking for is: if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself. This isn't a RADIUS problem. You're asking that some people (you don't say how you determine that) bypass authentication... which means bypassing RADIUS. I don't see how RADIUS can tell people who don't use RADIUS that they don't need to use RADIUS. Alan Dekok. Sorry if I was not clear before, I was not asking to bypass RADIUS at all, please see the previous message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
James [EMAIL PROTECTED] wrote: Right now, people are already going through the web portal or are already forced to use the web portal to get authenticated. so what I am asking for is: if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself. Does the gateway send RADIUS packets when people connect to it? If not, you can't use RADIUS to configure the behavior of the gateway. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
Does the gateway send RADIUS packets when people connect to it? If not, you can't use RADIUS to configure the behavior of the gateway. Im not quite sure what you mean, I know that: 1. The gateway has accounting "on" and every 3 minutes it updates the RADIUS with packets containing the sessions of connected users and any related data. (this might be a yes to your answer, but I am not quite sure) 2. The gateway checks with the RADIUS server if a user is allowed to use the internet and also how much time he is allowed to use. 3. I can see in the log file when people connect through the RADIUS and I can see updates in the detailed accounting log for an specific location. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
James [EMAIL PROTECTED] wrote: Im not quite sure what you mean, I know that: 1. The gateway has accounting on and every 3 minutes it updates the RADIUS with packets containing the sessions of connected users and any related data. (this might be a yes to your answer, but I am not quite sure) It's a yes to my question. Your original post said only that the portal did authentication. It said nothing about the gateway doing authentication. 2. The gateway checks with the RADIUS server if a user is allowed to use the internet and also how much time he is allowed to use. You said that everyone gets authenticated through the web portal. Why? It's not necessary to authenticate people twice. It causes problems, as you've seen. You don't need the web portal authentication, unless it's for some other purpose you're not saying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
You said that everyone gets authenticated through the web portal. Why? It's not necessary to authenticate people twice. It causes problems, as you've seen. no one gets authenticated twice, a nice looking HTML form is the only thing the web portal is. that's it. nothing more. the authentication is only done once by the gateway. You don't need the web portal authentication, unless it's for some other purpose you're not saying. we are sterring away from the original question here. if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself? now lets keep in mind that there are multiple locations here and therefor are multiple gateways, all I want to know is of there is a way to allow just some of the gateways, not all, to give access without username/password authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
James [EMAIL PROTECTED] wrote: no one gets authenticated twice, a nice looking HTML form is the only thing the web portal is. that's it. nothing more. the authentication is only done once by the gateway. That's not quite what you said at first, but OK... we are sterring away from the original question here. if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself? The short answer is to read the documentation for the gateway software. If it says that the gateway can do this, AND it can be configured through RADIUS, then it SHOULD say which RADIUS attribute, and what value to use. now lets keep in mind that there are multiple locations here and therefor are multiple gateways, all I want to know is of there is a way to allow just some of the gateways, not all, to give access without username/password authentication. Now you're disagreeing with yourself again. This confuses the issue, and makes it difficult for anyone to solve the problem, because you keep changing the story about what the problem is. a) people ALWAYS use RADIUS to authenticate before they get on the net. b) people ALWAYS get a pretty web portal before they access the net c) people SOMEHOW get past the web portal to get real net access You want to change (b) so that SOME people get a web portal, sometimes. The paragraph I quoted above says you want to change requirement (a). Which is it? I don't think you're clear on what you're trying to do. Or, you're not describing it in a consistent and clear way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
we are sterring away from the original question here. if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself? The short answer is to read the documentation for the gateway software. If it says that the gateway can do this, AND it can be configured through RADIUS, then it SHOULD say which RADIUS attribute, and what value to use. That's exactly the part that I cannot find an answer to Alan, that's why I posted here to see if anyone has anything related to this. That's all the help I will be needing from you , Thank you for your time. now lets keep in mind that there are multiple locations here and therefor are multiple gateways, all I want to know is of there is a way to allow just some of the gateways, not all, to give access without username/password authentication. Now you're disagreeing with yourself again. This confuses the issue, and makes it difficult for anyone to solve the problem, because you keep changing the story about what the problem is. a) people ALWAYS use RADIUS to authenticate before they get on the net. b) people ALWAYS get a pretty web portal before they access the net c) people SOMEHOW get past the web portal to get real net access You want to change (b) so that SOME people get a web portal, sometimes. The paragraph I quoted above says you want to change requirement (a). Which is it? I don't think you're clear on what you're trying to do. Or, you're not describing it in a consistent and clear way. I do admit, I could not make it clear enough for you to understand, but no worries, I gave it a shot anyways. Once again, I do thank you for your time Alan. If there is someone else besides Alan out there who is trying to achieve the same thing, I would love to hear from them. Thank you all and thank you Alan. James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
You may be wanting something more like a captive portal for some of your gateways. Try googling captive portal. I use chillispot myself; http://www.chillispot.org I have two wireless networks. One is secured with EAP-PEAP and auths users against our Active Directory via RADIUS (ntlm_auth) for employees. The other is open, but has no direct connection to our main LAN. A captive portal server (chillispot in my case) routes between the public wireless and private wired network to provide only Internet access to the public users (guests, vendors, customers, etc) by explicitly routing all of their traffic out the T1 hanging off our private router. Hope that helps. Laker --- James [EMAIL PROTECTED] wrote: we are sterring away from the original question here. if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself? The short answer is to read the documentation for the gateway software. If it says that the gateway can do this, AND it can be configured through RADIUS, then it SHOULD say which RADIUS attribute, and what value to use. That's exactly the part that I cannot find an answer to Alan, that's why I posted here to see if anyone has anything related to this. That's all the help I will be needing from you , Thank you for your time. now lets keep in mind that there are multiple locations here and therefor are multiple gateways, all I want to know is of there is a way to allow just some of the gateways, not all, to give access without username/password authentication. Now you're disagreeing with yourself again. This confuses the issue, and makes it difficult for anyone to solve the problem, because you keep changing the story about what the problem is. a) people ALWAYS use RADIUS to authenticate before they get on the net. b) people ALWAYS get a pretty web portal before they access the net c) people SOMEHOW get past the web portal to get real net access You want to change (b) so that SOME people get a web portal, sometimes. The paragraph I quoted above says you want to change requirement (a). Which is it? I don't think you're clear on what you're trying to do. Or, you're not describing it in a consistent and clear way. I do admit, I could not make it clear enough for you to understand, but no worries, I gave it a shot anyways. Once again, I do thank you for your time Alan. If there is someone else besides Alan out there who is trying to achieve the same thing, I would love to hear from them. Thank you all and thank you Alan. James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Locations and configuring 2 different methods of Access
Hello, I am running freeradius 1.0.5 on FC4 i386 My end-users right now are getting authenticated by the login-based mysql radcheck table from freeradius and they are coming from multiple locations through a web-based portal redirected by their gateway. My question is, if there is a way to setup freeradius for example: to allow for 3 locations to login through the login based authentication (the way it is setup right now) and at the same time grant 2 other locations access without the need of using login based authentication, I now there is an option to allow access without authentication, but to my understanding this is global for all locations, I am looking for a way to allow access without athentication for a specific location and at the same time not interfere with the locations that are using login-based authentication. Is this possible? If so, where can I get more documentation on this topic and where can I see an actual configuration example of this type of setup? If this is not possible out of the box, where can I get documentation on a work around or similar solutions? Thank you in advance for all your help, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html