nufw-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nufw-users] Radius authentication

From: Eric Leblond
Subject: Re: [Nufw-users] Radius authentication
Date: Tue, 17 Jun 2008 11:33:05 +0200
User-agent: Mutt/1.5.17+20080114 (2008-01-14) 
Hello,

On Tuesday, 2008 June 17 at 10:59:50 +0200, Johann Spies wrote:
> On Fri, Jun 13, 2008 at 04:43:19PM +0200, Eric Leblond wrote:
> 
> > libpam-nufw is a transparent NuFW client for Unixes.
> > 
> > To authenticate against radius, you need to configure nuauth to use the
> > "system" authentication module. Once it is done, you will have to
> > configure PAM to authenticate against radius:
> >  * nuauth and PAM configuration: 
> > http://www.nufw.org/docs/howto22/x668.html#AEN670
> >  * Howto PAM radius: 
> > http://www.wikidsystems.com/documentation/howtos/pamradius
> 
> Thanks for your reply.  I made some progress with the help of these
> two links as well as some others.
> 
> What I have done so far (This is a Debian Stable server):
> 
> * installed libpam-radius-auth
> * compiled and installed nufw 2.2.15 from Debian Testing
> * Have the following in 
>   - /etc/nufw/nuauth.conf
>     nuauth_user_check_module="system"
>     nuauth_acl_check_module="plaintext" 
> 
>     I don't understand what the second of these two lines are doing.

This tells nuauth to use the storage of acl in plaintext format. It will
read a file on computer.

> 
>   - /etc/pam_radius_auth.conf
>     <server>      <secret>    4
> 
>   - /etc/pam.d/common_auth
>     auth    sufficient     /lib/security/pam_radius_auth.so
>     auth    required        pam_unix.so nullok_secure
> 
> Now my questions and problems:
> 
> 1. Is it neccesary to configure nsswitch.conf?  Why or why not?

There is a problem here because you can not get userid and user groups
from radius. I did a quick search on nss radius and I did not find
something. A solution could be to directly act on the backend after
authentication...

> 2. The following happens:
>    $ sudo nuauth -vvvvvvvv
>    ** Message: [7] debug_level is 8
>    ** Message: [+] Starting nuauth 2.2.15 ($Revision: 4601 $) with config 
> /etc/nufw//nuauth.conf
> 
>    ** ERROR **: Unable to load module nuprelude in /usr/lib/nuauth/modules
>    aborting...
>    Aborted

Hmmm, bad configuration file in debian testing. Simply search for
nuprelude in /etc/nufw//nuauth.conf and suppress the reference to
nuprelude in uncommented line.

> 
> > > Maybe I must ask the question here:  Am I on the right track trying
> > > out NuFW or should I look further?
> > 
> > It seems ok but you may give us more details.
> 
> What type of details do you need?
> 
> Here are a few:
> 
> * At the moment we have FW-1 on two firewall servers and a management
>   server clustered by Rainwall.
> * Users authenticate against the firewall from a radius server when
>   they want to use the internet. They pay for the bandwith they use.
> * Some users use a pay-as-you-go method of payment and we should be
>   able to monitor their usage in real time.  
> * We need both IP-address and username to do proper accounting.

OK, it seems fine for NuFW usage. The main issue could be if your users
are NATed before reaching the firewall. In this case, NuFW will not be
able to authenticate the packets.

BR,
-- 
Eric Leblond <address@hidden>
NuFW, Now User Filtering Works : http://www.nufw.org
reply via email to
[Prev in Thread] Current Thread [Next in Thread]