[ previous ] [ next ] [ threads ]
 
 From:  Josh <josh at nemesis dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Captive with IMAP
 Date:  Wed, 29 Sep 2004 06:32:01 -0700
My $.03 below..

>> Read "if you're too lazy to do things the *right* way"
>>
>> I agree with earlier posts - I wouldn't want to see the hack job of
>> turning a mail protocol into an authentication protocol included in
>> the distribution.  That would suggest this is an acceptable practice
>> for production, when I think anybody in their right mind wouldn't do
>> nor recommend this.

> [Difficulty of setting up RADIUS]
> 2003 Windows server is another Effort (note the capital E's on effort -

Really - more to the point is that there are a _lot_ of authentication  
methods and protocols out there.  I'd say that perhaps 30% of the  
enterprises I've consulted with use radius (and often that infrastructure  
was only setup to deal with OTP - ie token cards, or challenge response of  
some type -- which probably won't work with m0n0's radius anyway).  So  
yeah, RADIUS is nifty and can be setup for m0n0 if this is a brand new  
WISP.  But what about all the companies out there that want to add a few  
authenticated hotspots to a building or two for their corporation?  Say  
they use NIS, NIS+, LDAP, Oracle, MySQL, scp'd text files, secret decoder  
rings...  m0n0 can't support everything.

Imap/pop is a pretty nifty idea since no matter what people are using in  
the back, they probably let their users get email somewhere (though even  
that won't work everywhere as mailserver footprint may not overlap the  
wireless footprint well).  Given the various
insanity of authentication and what 'enterprises' use to glue different  
systems together (I've seen Oracle<->NIS<->NIS+<->text<->LDAP), IMAP is  
not overly complex, it's stable, and well supported.  I would say that if  
IMAP/Pop is used for auth then IMAPS / POPS (ie - over SSL) should at  
least be an option.

If IMAP support isn't added - I would say LDAP and MySQL should be  
added..  But even with all 3, IMAP really seems more useful for a large  
number of scenarios.. Even if it's not really an authentication protocol.


-josh