[LARTC] Authetication on LAN

[LARTC] Authetication on LAN

[Deepak singhal]

[-- Attachment #1: Type: text/plain, Size: 1217 bytes --]

Hi All ,

I may be asking the question to wrong mailing list but still would be greatful if someone could help me out or refer me to the right mailing list. Now the question :

I want to do authentication and accounting for the users on the LAN who use my linux gateway for internet access. My linux box is running redhat 6.2 along with ipchains and masquerading done. 

I have tried using squid for authentication but username/password functionality i.e. authentication but this doen`t work with transparent proxying of squid. I doesn`t know whether PPP over Ethernet can do this  ?  

Could anyone suggest me what to do so that i can authenticate my users on the LAN and also keep and accounting record  for the usage . Their are commercial versions available in the market doing the same but i want some freeware . 

What commercial product do is ..that they have a client exe running on each machine on which user enters his username and password and that exe talks to some port no on the gateway where some sort of modified radius sits which does the user authentication based on the username/password and IP of the user and the  log is maintained for the usage. 


Thanks in Advance

Deepak



[-- Attachment #2: Type: text/html, Size: 2397 bytes --]

Re: [LARTC] Authetication on LAN

[Torge Szczepanek]

Deepak singhal wrote:

> I want to do authentication and accounting for the users on the LAN who 
> use my linux gateway for internet access. My linux box is running redhat 
> 6.2 along with ipchains and masquerading done.

> proxying of squid. I doesn`t know whether PPP over Ethernet can do this  ? 
> Could anyone suggest me what to do so that i can authenticate my users 
> on the LAN and also keep and accounting record  for the usage . Their 
> are commercial versions available in the market doing the same but i 
> want some freeware .

You should take a look at PoPTop http://poptop.lineo.com/

This is a solution for building a VPN Server. You can start PPTP session 
to your gateway with user/password authentication. You can assign 
special IP adresses so you can also do accounting of traffic.

I don't know how many users you need. It seems that this software is not 
yet tested with more than 50 or 60 users. I am planning to set up a test 
installation with authentication and accounting of about 4000 users 
perhaps using a number of 4 to 8 gateways.

It is based on the PPTP-protocol, which is implemented in Micro$oft 
Windows (VPN-Adapters). There is also a Linux and FreeBSD client avaible.

Because all needed tools are included in MS Windows, it is easy to set 
this up on the client machines with no need of additional software.

-- 
Torge Szczepanek


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Mike Fedyk]

On Wed, May 09, 2001 at 11:20:54AM +0530, Deepak singhal wrote:
> Hi All ,
> 
> I may be asking the question to wrong mailing list but still would be greatful if someone could help me out or refer me to the right mailing list. Now the question :
> 
> I want to do authentication and accounting for the users on the LAN who use my linux gateway for internet access. My linux box is running redhat 6.2 along with ipchains and masquerading done. 
> 
> I have tried using squid for authentication but username/password functionality i.e. authentication but this doen`t work with transparent proxying of squid. I doesn`t know whether PPP over Ethernet can do this  ?  
> 
> Could anyone suggest me what to do so that i can authenticate my users on the LAN and also keep and accounting record  for the usage . Their are commercial versions available in the market doing the same but i want some freeware . 
> 
> What commercial product do is ..that they have a client exe running on each machine on which user enters his username and password and that exe talks to some port no on the gateway where some sort of modified radius sits which does the user authentication based on the username/password and IP of the user and the  log is maintained for the usage. 
> 
All you will be able to account on, will be individual computers, not users.
If you want accounting, you'll need a non-transparent solution.  You were on
the right direction with squid, but you will _NOT_ find anything that is
transparent and still be able to log based on user.

Mike

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Deepak singhal]

Hi ,

I Hope to do this for around 1000 users ... would a single machine be able
to take the load/create VPNs  of around 400 simultaneous users. Does some
other form of authentication/accounting also exists .


Deepak

----- Original Message -----
From: "Torge Szczepanek" <advrouting@szczepanek.de>
To: "Deepak singhal" <dsinghal@spacewayindia.com>; <lartc@mailman.ds9a.nl>
Sent: Wednesday, May 09, 2001 11:58 AM
Subject: Re: [LARTC] Authetication on LAN


> Deepak singhal wrote:
>
> > I want to do authentication and accounting for the users on the LAN who
> > use my linux gateway for internet access. My linux box is running redhat
> > 6.2 along with ipchains and masquerading done.
>
> > proxying of squid. I doesn`t know whether PPP over Ethernet can do this
?
> > Could anyone suggest me what to do so that i can authenticate my users
> > on the LAN and also keep and accounting record  for the usage . Their
> > are commercial versions available in the market doing the same but i
> > want some freeware .
>
> You should take a look at PoPTop http://poptop.lineo.com/
>
> This is a solution for building a VPN Server. You can start PPTP session
> to your gateway with user/password authentication. You can assign
> special IP adresses so you can also do accounting of traffic.
>
> I don't know how many users you need. It seems that this software is not
> yet tested with more than 50 or 60 users. I am planning to set up a test
> installation with authentication and accounting of about 4000 users
> perhaps using a number of 4 to 8 gateways.
>
> It is based on the PPTP-protocol, which is implemented in Micro$oft
> Windows (VPN-Adapters). There is also a Linux and FreeBSD client avaible.
>
> Because all needed tools are included in MS Windows, it is easy to set
> this up on the client machines with no need of additional software.
>
> --
> Torge Szczepanek
>
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Michael T. Babcock]

On 09 May 2001 00:11:17 -0700, Mike Fedyk wrote:

> All you will be able to account on, will be individual computers, not users.
> If you want accounting, you'll need a non-transparent solution.  You were on
> the right direction with squid, but you will _NOT_ find anything that is
> transparent and still be able to log based on user.

Not true.

Grab an identd service for Windows that reports the user's login ID.
Then use Squid's ident ACLs.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Torge Szczepanek]

Deepak singhal wrote:

> I Hope to do this for around 1000 users ... would a single machine be able
> to take the load/create VPNs  of around 400 simultaneous users. Does some
> other form of authentication/accounting also exists .

I don't know. I am going to test this in the next 2 months.

-- 
Torge Szczepanek


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Mike Fedyk]

On Thu, May 10, 2001 at 10:19:26AM -0400, Michael T. Babcock wrote:
> On 09 May 2001 00:11:17 -0700, Mike Fedyk wrote:
> 
> > All you will be able to account on, will be individual computers, not users.
> > If you want accounting, you'll need a non-transparent solution.  You were on
> > the right direction with squid, but you will _NOT_ find anything that is
> > transparent and still be able to log based on user.
> 
> Not true.
> 
> Grab an identd service for Windows that reports the user's login ID.
> Then use Squid's ident ACLs.

This doesn't account any non http protocols.  On my network, users are using
ftp, real audio, win media player, legacy aol, aim, icq.

How are you going to account those?

Mike

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Michael T. Babcock]

On 10 May 2001 16:24:23 -0700, Mike Fedyk wrote:
> This doesn't account any non http protocols.  On my network, users are using
> ftp, real audio, win media player, legacy aol, aim, icq.
> 
> How are you going to account those?

Anything that runs through Socks4/5 (all of the above) can have per-user
authentication.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Mike Fedyk]

On Thu, May 10, 2001 at 09:05:03PM -0400, Michael T. Babcock wrote:
> On 10 May 2001 16:24:23 -0700, Mike Fedyk wrote:
> > This doesn't account any non http protocols.  On my network, users are using
> > ftp, real audio, win media player, legacy aol, aim, icq.
> > 
> > How are you going to account those?
> 
> Anything that runs through Socks4/5 (all of the above) can have per-user
> authentication.

Ahh, but now we are talking about a non-transparent setup.  I want something
where it will work with any TCP/IP device without any setup besides setting
IP and routing.

I'd like to see something that can identify which user is using each
connection, and not need anything more than an identd.  This would enable
access for that ip/port as needed at layer 3/4.

Mike

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Michael T. Babcock]

On 10 May 2001 18:10:43 -0700, Mike Fedyk wrote:
> Ahh, but now we are talking about a non-transparent setup.  I want something
> where it will work with any TCP/IP device without any setup besides setting
> IP and routing.
> 
> I'd like to see something that can identify which user is using each
> connection, and not need anything more than an identd.  This would enable
> access for that ip/port as needed at layer 3/4.

I'm not aware of one, but it shouldn't be too hard to write a program
that would watch for outgoing connections via netlink (Linux) or some
such device and request ident information about that user before
deciding to allow or deny the request.

One might exist.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Mike Fedyk]

On Thu, May 10, 2001 at 09:15:56PM -0400, Michael T. Babcock wrote:
> On 10 May 2001 18:10:43 -0700, Mike Fedyk wrote:
> > Ahh, but now we are talking about a non-transparent setup.  I want something
> > where it will work with any TCP/IP device without any setup besides setting
> > IP and routing.
> > 
> > I'd like to see something that can identify which user is using each
> > connection, and not need anything more than an identd.  This would enable
> > access for that ip/port as needed at layer 3/4.
> 
> I'm not aware of one, but it shouldn't be too hard to write a program
> that would watch for outgoing connections via netlink (Linux) or some
> such device and request ident information about that user before
> deciding to allow or deny the request.
> 
> One might exist.

What level of programming would it require?  Perl, shell or C?

Mike

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Michael T. Babcock]

On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > I'm not aware of one, but it shouldn't be too hard to write a program
> > that would watch for outgoing connections via netlink (Linux) or some
> > such device and request ident information about that user before
> > deciding to allow or deny the request.
> > 
> > One might exist.
> 
> What level of programming would it require?  Perl, shell or C?

Perl or C depending on the speed of your connection and your CPU
horsepower (as every packet or packet header would be inspected).

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Mike Fedyk]

On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote:
> On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > > I'm not aware of one, but it shouldn't be too hard to write a program
> > > that would watch for outgoing connections via netlink (Linux) or some
> > > such device and request ident information about that user before
> > > deciding to allow or deny the request.
> > > 
> > > One might exist.
> > 
> > What level of programming would it require?  Perl, shell or C?
> 
> Perl or C depending on the speed of your connection and your CPU
> horsepower (as every packet or packet header would be inspected).

Isn't there a way to only look at packets that would be blocked by the
filters only?  This would alleviate much of the burden on the processor for
even a C program.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Ramin Alidousti]

On Sun, May 13, 2001 at 06:13:03PM -0700, Mike Fedyk wrote:

> On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote:
> > On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > > > I'm not aware of one, but it shouldn't be too hard to write a program
> > > > that would watch for outgoing connections via netlink (Linux) or some
> > > > such device and request ident information about that user before
> > > > deciding to allow or deny the request.
> > > > 
> > > > One might exist.
> > > 
> > > What level of programming would it require?  Perl, shell or C?
> > 
> > Perl or C depending on the speed of your connection and your CPU
> > horsepower (as every packet or packet header would be inspected).
> 
> Isn't there a way to only look at packets that would be blocked by the
> filters only?  This would alleviate much of the burden on the processor for
> even a C program.

I believe that you can use QUEUE target of netfilter to check packets in the
userland selectively.

Ramin

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Authetication on LAN

[Mike Fedyk]

On Sun, May 13, 2001 at 09:25:20PM -0400, Ramin Alidousti wrote:
> On Sun, May 13, 2001 at 06:13:03PM -0700, Mike Fedyk wrote:
> 
> > On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote:
> > > On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > > > > I'm not aware of one, but it shouldn't be too hard to write a program
> > > > > that would watch for outgoing connections via netlink (Linux) or some
> > > > > such device and request ident information about that user before
> > > > > deciding to allow or deny the request.
> > > > > 
> > > > > One might exist.
> > > > 
> > > > What level of programming would it require?  Perl, shell or C?
> > > 
> > > Perl or C depending on the speed of your connection and your CPU
> > > horsepower (as every packet or packet header would be inspected).
> > 
> > Isn't there a way to only look at packets that would be blocked by the
> > filters only?  This would alleviate much of the burden on the processor for
> > even a C program.
> 
> I believe that you can use QUEUE target of netfilter to check packets in the
> userland selectively.
> 
> Ramin

I think I saw something in 2.2 that will do that too, don't know the
interface though...

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/