[ previous ] [ next ] [ threads ]
 From:  Mike Nichols <mike at myownsoho dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Captive Portal with Radius accounting
 Date:  Mon, 09 Nov 2009 08:10:40 +0000
Hello all, i'm looking to do a full integration of a RADIUS server (based
on FreeRADIUS or GNU Radius). If anyone has any thoughts or considerations
regarding where to look for the most uptodate and complete information
about these AAA methods integrating with m0n0/pf's Captive Portal, please
share those thoughts or links. 

I intend to restrict access to certain sites or hosts based on
authenticated groups of users as well as non-authenticated users. 

This will be a fully customized product, while making every effort to
adhere to standards for WiSP, and even encrypted connections. 

My few initial questions here are concerns about whether the RADIUS server
will be providing IP addresses to the network users or if the DHCP server
included in m0n0 will handle that for me more efficiently. This network, as
you may have guessed, will have completely flexible IP addressing as no
public ip space will be allocated to these users. Everyone will be under
private IP networks, probably
Class A or B. Has anyone here found usecases
where certain private network class addresses are better suited than
others? I'm all for simplicity and am leaning toward a larger than /24
Class A address space for these connected users as i will be leaving
connections open longer than may be required. 

Does it make more sense to log MAC addresses alone or possibly attach
(sticky) IP addresses to those MACs as well? My thought was to be able to
have network addresses as well as physical addresses in the activity
logging. Does this sound like something that may prove to be useful in the
future when integrated with a billing system? 

Any insight from those who have used radius aaa methods for regulating
network access would be appreciated. While now using the built in voucher
system and username access restrictions, i would like to have a retaining
database of users and switch on and off their approved access rather than
their "account" expire after predetermined amount of time. In
with the voucher system for one-time-users or more fine grained time usage
restrictions, I think it may make sense to gather information about their
machine, protocols they use more often than not, port usage, etc. to
solicit network approved services and fullservice amenities to my users
(including location based). 

I might be going off on a few tangents here, but the discussion of other's
current setup is valuable to me and i'd assume others as well. 

Thanks again to anyone who can take the time. 

 Mike Nichols
 mike at myownsoho dot com