[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] External Authentication
 Date:  Sat, 11 Sep 2004 18:37:58 -0400
On Sat, 11 Sep 2004 15:26:06 -0700, Mitch (WebCob) <mitch at webcob dot com> wrote:
> Sorry I'm late to the game... I missed much of the thread - but in summary,
> are you thinking of turning mono around? Using Radius authentication
> (through SSL) to control ingress to you application instead of egress?
> 
> Not sure if that was your original idea, but I think that's a GREAT one...
> could help me in a current project as well - we have to "expose" a windows
> server for remote access - using the Radius server inbound to the central
> server could provide us with the required session logging and stats as well
> as a second level of security for the windows service.
> 
> I've heard of people trying to set up mono to use the NT radius service as
> it's auth source - is this the solution? Then the users would be able to
> auth using the same password as they use on their domain login.
> 
> If I'm completely confusing or perverting your original idea, smack me - but
> is this what you were thinking? Is it possible?
> 

That was the original idea.  You could theoretically use RADIUS on
your Windows DC, NT or AD, to authenticate users on the m0n0wall, and
then open up a port.  Captive portal doesn't support SSL right now
though, so it would have to pass the credentials over the net in clear
text.  And you might have to do a little hacking on captive portal to
keep it from opening all ports to authenticated users, though firewall
rules may suffice.

When captive portal supports SSL, this would make a great solution if
it could be set up appropriately.  It might be possible now, but I'd
rather see Windows ports open to the internet than domain passwords
being passed over the internet in clear text.

Along those lines, since I understand this is an internal-only
application with only employees as users, why not make them connect
via VPN first?

-Chris