I used FreeRadius a few years back to authenticate dialup users on a Max Ascend unit. I had it working with PAM so that it authenticated against my main NFS/NIS server. This made dialup logins the same as network logins.
It was a PITA to setup, but once done it worked for years without maintenance. I had to download and read (and read, and read, and read) all the Livingston Radius docs - which FreeRadius was based on - as the FreeRadius docs were non-existent at the time. Hopefully you will find things much easier now. Jon Carnes On Tue, 2004-12-07 at 09:28, Aaron S. Joyner wrote: > [EMAIL PROTECTED] wrote: > > >As a disclaimer I have never set up radius before. Ever. Okay, here where > >I find myself. <snip problem description> > > > First, there are a few things to understand about Radius. Radius is > nothing more than an authentication protocol. "Radius", as an ephemeral > concept, can not do any of the things you're asking of it. On the other > hand, Radius can be an enabling technology that allows your device (in > this case monowall) to defer to a more intelligent back-end for > determining who is, and who is not, authenticated. > > The most common GPL'd radius server in use is FreeRadius, which can be > found here: http://www.freeradius.org/ FreeRadius is capable of using > lots of back-end authentication methods, including PAM, SQL, LDAP, and > others. It's probably easiest to configure FreeRadius to authenticate > against a back-end you're comfortable manipulating, and then simply > adjust the back end on a monthly basis (perhaps via a script), to > accomplish your goals. > > Consider this scenario: Monowall authenticates via Radius, against your > FreeRadius server. Your FreeRadius server is configured to authenticate > against a MySQL table. That table contains two columns and only one > row, which define a valid username and password. Every month, your end > user comes to a password-protected web page which presents them with a > box to enter a new password. This page updates the 2nd column in the > database, and then everyone has to use the new password that month. > That's perhaps the easiest, path of least resistance, to solve your > problem. Other options include auth'ing against PAM, and then any valid > user account would succeed. You could restrict which accounts are valid > for authentication, either in FreeRadius or possibly in PAM. Then you > would only need to change one user's password on a monthly basis. You > could also take either model and scale them up from the single-user idea > you originally had in mind, and allow multiple users, and create / > remove / edit them through any mechanism that modifies MySQL (or local > user accounts) that you like (i.e. a PERL / PHP web front-end, which > could make it easy to print out EULAs, etc). > > Good luck in the world of Radius, > Aaron S. Joyner -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
