[TriLUG] need Radius suggestions/help

Aaron S. Joyner aaron at joyner.ws
Tue Dec 7 09:28:46 EST 2004 

gregbrown at mindspring.com wrote:

>As a disclaimer I have never set up radius before.  Ever.   Okay, here where I find myself. <snip problem description>
>
First, there are a few things to understand about Radius.  Radius is 
nothing more than an authentication protocol.  "Radius", as an ephemeral 
concept, can not do any of the things you're asking of it.  On the other 
hand, Radius can be an enabling technology that allows your device (in 
this case monowall) to defer to a more intelligent back-end for 
determining who is, and who is not, authenticated.

The most common GPL'd radius server in use is FreeRadius, which can be 
found here: http://www.freeradius.org/  FreeRadius is capable of using 
lots of back-end authentication methods, including PAM, SQL, LDAP, and 
others.  It's probably easiest to configure FreeRadius to authenticate 
against a back-end you're comfortable manipulating, and then simply 
adjust the back end on a monthly basis (perhaps via a script), to 
accomplish your goals.

Consider this scenario: Monowall authenticates via Radius, against your 
FreeRadius server.  Your FreeRadius server is configured to authenticate 
against a MySQL table.  That table contains two columns and only one 
row, which define a valid username and password.  Every month, your end 
user comes to a password-protected web page which presents them with a 
box to enter a new password.  This page updates the 2nd column in the 
database, and then everyone has to use the new password that month.  
That's perhaps the easiest, path of least resistance, to solve your 
problem.  Other options include auth'ing against PAM, and then any valid 
user account would succeed.  You could restrict which accounts are valid 
for authentication, either in FreeRadius or possibly in PAM.  Then you 
would only need to change one user's password on a monthly basis.  You 
could also take either model and scale them up from the single-user idea 
you originally had in mind, and allow multiple users, and create / 
remove / edit them through any mechanism that modifies MySQL (or local 
user accounts) that you like (i.e. a PERL / PHP web front-end, which 
could make it easy to print out EULAs, etc).

Good luck in the world of Radius,
Aaron S. Joyner

More information about the TriLUG mailing list