Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 01 Oct 1996 11:52:06 -0400
From:      Chris Shenton <cshenton@it.hq.nasa.gov>
To:        questions@freefall.freebsd.org
Cc:        isp@freebsd.org
Subject:   Re: Portmaster dillema!
Message-ID:  <199610011552.PAA06712@wirehead.it.hq.nasa.gov>
In-Reply-To: Your message of "Tue, 1 Oct 1996 07:06:21 -0700 (PDT)"
References:  <199610011406.HAA18777@freefall.freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, 30 Sep 1996, Christopher H. Taylor wrote:

> I just started my ISP, using FreeBSD-2.1.5..... I got my Portmaster, and 
> configured everything properly.
> ... am I supposed to be adding all of my users into
> the Portmaster user table? I figured the portmaster would read my  
> /etc/passwd database, but I guess not! This is getting to be a pain 
> adding new users to my passwd table, then to the portmaster user table! 
> Isn't there a limit on  the amount of users I can have in the table? What
> if I get another  Portmaster, will I have to add all of the users from the
> first one, into that one too?

Yeah, the manual indicates the user table is only good for about
50-100 users. What you want is RADIUS, a protocol which allows
portmasters (and other network access servers) to authenticate
username/password with a separate server. This is cool because then
you can have dozens of PortMasters (or Ascends, or...) all querying
the same RADIUS servers.  You can download the radius daemon from
ftp.livingston.com, or build the one in FreeBSD's ports collection.
You then configure the RADIUS server.

There's two basic ways to configure users:

1. add username/password into the RADIUS "users" table, or
2. tell radius daemon to validate against the UNIX /etc/passwd file.

I took latter approach, because I only wanted to have the sysadms
create user "accounts" once. Since most of the users were going to be
dial-in PPP only (non-shell), I modified the "adduser" script config
to set the default shell offered when creating accounts to
"/NoShell". 

So radiusd looks in the "users" file, finds only one user:

###############################################################################
# If no username match above, use UNIX /etc/passwd authentication method.
# This allows us to use our existing user account name/password for dialup
# PPP username/passwords. Thus, we don't need to maintain separate accounts.

DEFAULT Password = "UNIX"
        User-Service-Type       = Framed-User,
        Framed-Protocol         = PPP


If anyone else has comments on the wisdom of doing it this way, I'd be
happy to hear from you.

You might wanna subscribe to the freebsd-isp mailing list for
questions of this type; cc'd here.

Later.




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199610011552.PAA06712>