[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Radius, Cisco 1600 and Windows Clients

Ah, everything just got much more complicated.

You are going to need an authentication and access control system.
Something like you would use in an Internet Cafe or wireless access
point or something. A lot depends upon your equipment, the goals of
the solution, and budget.

This is outside of my expertise, so you are going to have to keep on
looking.  Good luck though!

Google around and you can probably find more on what you need.



On Mon, Mar 14, 2005 at 01:35:13PM -0300, Agust?n Ciciliani wrote:
> Dear Jesse,
> Let me tell you all the idea then...
> I'm working for an ISP, so the top goal for us would be that we could authenticate the
> user by IP, MAC, username and password, and only if all this is correct for that client,
> we allow him to access Internet, but with all services (ftp, ssh, web, pop3, smtp, etc.)
> no just http. Something else that we need is to allow him just for some time, lets say for
> example during the night, or for an hour...
> 
> We don't care what kind of packets our users will traffic. We only want to control if he
> is able to access all the Internet or not and for how much time...
> 
> I thought in freeradius because I can mantein the clients data in a mysql database and as
> I could read my network has all what it's needed, but if you say I have to use somenthing
> else you are the expert here!
> Let me say that I'm really gratefull for your help! I hope we can make all this work.
> Thanks again,
> 
> Agustin
> 
> ----- Original Message ----- 
> From: <agustin@maderonet.net.ar>
> To: <jesse@opendreams.net>
> Cc: <debian-isp@lists.debian.org>
> Sent: Saturday, March 12, 2005 12:58 PM
> Subject: Re: Re: Radius, Cisco 1600 and Windows Clients
> 
> 
> Dear Jesse,
> Let me tell you all the idea then...
> I'm working for an ISP, so the top goal for us would be that we could authenticate the
> user by IP, MAC, username and password, and only if all this is correct for that client,
> we allow him to access Internet, but with all services (ftp, ssh, web, pop3, smtp, etc.)
> no just http. Something else that we need is to allow him just for some time, lets say for
> example during the night, or for an hour...
> We don't care what kind of packets our users will traffic. We only want to control if he
> is able to access all the Internet or not and for how much time...
> I thought in freeradius because I can mantein the clients data in a mysql database and as
> I could read my network has all what it's needed, but if you say I have to use somenthing
> else you are the expert here!
> Let me say that I'm really gratefull for your help! I hope we can make all this work.
> Thanks again,
> Agustin
> ------------------------------------------------------------------------
> 
> Okay, so this isn't really what I thought it was.
> 
> I have an important question for you;
> 
> Do you want to authenticate just http/web traffic?
> 
> Or
> 
> Do you want to authenticate to send any packet from the clients
> through the router?
> 
> 
> 
> Depending upon your answer, something simple such as using Squid
> authentication might work, or it might require something more such as a
> tunneling setup. I think iptables has some kind of support for this
> kind of thing, but I'm not sure it applies in this situation because the
> packets are coming from a foreign host.
> 
> 
> 
> On Fri, Mar 11, 2005 at 04:59:12PM -0300, Agust?n Ciciliani wrote:
> > Jesse,
> >
> > Sorry about the last message...
> >
> > I was saying:
> >
> > First of all, no ISDN, or modems or telephone lines...
> >
> > Just imagine one switch with 5 windows clients that access internet using the cisco 1600
> > as its gateway.
> > I want that they just reach the internet if they pass some kind of authentication first.
> >
> > Thanks for everything,
> >
> > Agustin
> >
> > > I'll try to explain myself...
> > >
> > > First of all, no ISDN, or modems or telephone lines...
> > >
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Jesse Molina" <jesse@opendreams.net>
> > > To: "Agust?n Ciciliani" <agustin@maderonet.net.ar>
> > > Cc: <debian-isp@lists.debian.org>
> > > Sent: Friday, March 11, 2005 4:22 PM
> > > Subject: Re: Radius, Cisco 1600 and Windows Clients
> > >
> > >
> > > >
> > > > Hmmm...
> > > >
> > > > I'm a little confused. Are you trying to set up L2TP? Your original
> > > > email said "dial in", so I immediately thought of modem dial-in or ISDN
> > > > dial-in, but it seems like you are trying to do something else, like
> > > > tunneling.
> > > >
> > > > Can you clarify Agustin?
> > > >
> > > >
> > > >
> > > > On Fri, Mar 11, 2005 at 03:47:41PM -0300, Agust?n Ciciliani wrote:
> > > > > Dear Jesse,
> > > > >
> > > > > Thank you for your time!
> > > > >
> > > > > Now you say, in fact I have some doubts about the support for ppp in the
> > interfaces...
> > > > >
> > > > > I've asked for a simplified model because I think I am able to figure out how to
> > > implement
> > > > > it in my WAN, but my real WAN looks like this (if this helps...)
> > > > >
> > > > > [LAN] PCs (clients) --------> (ethernet 0) Cisco 1601R (serial 0) ------------>
> > > Aerials
> > > > > cloud ----------> (E1) Cisco 2600 (ehernet 0/0) [6500 VLAN] Radius
> Server --------->
> > > The
> > > > > 6500 route me to Internet...
> > > > >
> > > > > Agustin
> > > > >
> > > > >
> > > > > ----- Original Message ----- 
> > > > > From: "Jesse Molina" <jesse@opendreams.net>
> > > > > To: "Agust?n Ciciliani" <agustin@maderonet.net.ar>
> > > > > Cc: <debian-isp@lists.debian.org>
> > > > > Sent: Friday, March 11, 2005 3:12 PM
> > > > > Subject: Re: Radius, Cisco 1600 and Windows Clients
> > > > >
> > > > >
> > > > > >
> > > > > > Hi Agustin
> > > > > >
> > > > > > What kind of interface are you using on that 1601R? An Async serial?
> > > > > > The aux port? ISDN?
> > > > > >
> > > > > > Posting your configuration <minus passwords and such> might be useful
> > > > > > and gives us more info. (use "show tech" if possible)
> > > > > >
> > > > > > Debug aaa commands come in very helpful when you are having real
> > > > > > radius/tacacs problems, but this could be something else, such as your
> > > > > > interface configuration.
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Fri, Mar 11, 2005 at 02:55:50PM -0300, Agust?n Ciciliani wrote:
> > > > > > > Dear List,
> > > > > > >
> > > > > > > I apologize if this issue has been discussed, but I couldn't find any docs
> that
> > > help
> > > > > me
> > > > > > > out.
> > > > > > >
> > > > > > > I have a network with a cisco 1601R connected to Internet and a radius server
> > > (simply
> > > > > an
> > > > > > > ethernet switch with windows workstations, the router and the server running
> > > > > freeradius).
> > > > > > >
> > > > > > > I'm trying to configure the cisco so clients dial to it, the cisco validate
> the
> > > user
> > > > > and
> > > > > > > password with the radius, and if everything is ok, it opens the door to that
> > > client
> > > > > for
> > > > > > > accessing Internet.
> > > > > > >
> > > > > > > I've based my freeradius installation reading
> > > http://www.frontios.com/freeradius.html
> > > > > so
> > > > > > > the server is running ok and the tests show me that it's validating as I need.
> > The
> > > > > > > communication between the router and the server is also ok.
> > > > > > >
> > > > > > > The big problem is between the NAS and the clients. I read almost everything
> > I've
> > > > > found in
> > > > > > > cisco about VTI, VPDN, PPP, AAA and RADIUS, but I cannot make it work...
> > > > > > >
> > > > > > > Besides I'm no sure about what kind of windows client I should use (pppoe as
> an
> > > ADSL
> > > > > > > connection or VPN with the ip of the router to dial-in).
> > > > > > >
> > > > > > > I'll appreciatte any comment, or perhaps you know a good howto or something
> that
> > I
> > > > > could
> > > > > > > read.
> > > > > > >
> > > > > > > THANKS IN ADVANCE!!!
> > > > > > >
> > > > > > > Sincerely,
> > > > > > >
> > > > > > > Agust?n
> > > > > > >
> > > > > > >
> > > > > > > -- 
> > > > > > > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > > > > > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > > > > > >
> > > > > >
> > > > > > -- 
> > > > > > # Jesse Molina
> > > > > > # Mail = jesse@opendreams.net
> > > > > > # Page = page-jesse@opendreams.net
> > > > > > # Cell = 1.602.323.7608
> > > > > > # Web = http://www.opendreams.net/jesse/
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -- 
> > > > > > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > > > > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> > > > -- 
> > > > # Jesse Molina
> > > > # Mail = jesse@opendreams.net
> > > > # Page = page-jesse@opendreams.net
> > > > # Cell = 1.602.323.7608
> > > > # Web = http://www.opendreams.net/jesse/
> > > >
> > > >
> > > >
> > > >
> > >
> >
> >
> > -- 
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> >
> 
> -- 
> # Jesse Molina
> # Mail = jesse@opendreams.net
> # Page = page-jesse@opendreams.net
> # Cell = 1.602.323.7608
> # Web = http://www.opendreams.net/jesse/
> 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
# Jesse Molina
# Mail = jesse@opendreams.net
# Page = page-jesse@opendreams.net
# Cell = 1.602.323.7608
# Web  = http://www.opendreams.net/jesse/
Reply to: