Results 1 to 4 of 4
hello, I'm a first time poster here and it's also my first posting in this kind of board anywhere. Usually I only browsed threads and posts from other linux boards. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-02-2006 #1
- Join Date
- May 2006
How can I implement radius to control internet use in office?
hello, I'm a first time poster here and it's also my first posting in this kind of board anywhere. Usually I only browsed threads and posts from other linux boards. but since I'm going to have to learn to live with *NIX system, I feel I need to take on a more active role. that ends my intro.
this is my situation:
everyone can use internet freely in the office, just need an IP address, DNS, and Gateway. The internet is through a redhat gateway with nothing than maybe IP forwarding.
There's also a SugarCRM server (separate) that requires login.
what I want:
to implement radius for internet access. if I can integrate radius login with sugarCRM login, that'd be even better.
can someone suggest a probable setup for this scenario? the list of things that I will need? and where to look for help?
thanks in advance
- 05-02-2006 #2
You might not even need to go this far. All you really need to do is deny access to the internet for everyone, and set up a proxy (such as squid), then give everyone authenticated access to the squid proxy. You can provide that authentication using radius if you want. Or kerberos, or with an LDAP database, or even with simple unix accounts.
- 05-04-2006 #3
- Join Date
- May 2006
but what I want is the act of logging/typing in with user and passwd. so some kind of user/pass verification before the network lets you surf web.
I reckon the gateway will pass login info to radius and receive authentication info back. I've managed to run freeradius server before, so that's no problem. But I'm in the dark of what to configure in the gateway server side. Such as which component will receive and respond to authorization received from radius?
- 05-04-2006 #4
I think the solution is still going to involve a web proxy to intercept web requests and enforce the authentication.
You may have to write some scripts of your own to enforce the username/password entry to hand off to a freeradius system for authentication. You want it to hold the access open for a few minutes too, you dont want it asking for a new username/password for each minute element, picture or frame on each web page.
And try to ensure that there is no other access out to the internet. I can bypass my company's firewall here by logging into my home lan with ssh, and forwarding my proxy port to the local machine - then pointing the browser at the local proxy (I dont do this, but I could; it's actually easier to use a vnc session and view the pages on my server at home).