LARTC - May 2001 - Authetication on LAN

Hi All ,

I may be asking the question to wrong mailing list but still would be greatful
if someone could help me out or refer me to the right mailing list. Now the
question :

I want to do authentication and accounting for the users on the LAN who use my
linux gateway for internet access. My linux box is running redhat 6.2 along with
ipchains and masquerading done.

I have tried using squid for authentication but username/password functionality
i.e. authentication but this doen`t work with transparent proxying of squid. I
doesn`t know whether PPP over Ethernet can do this  ?

Could anyone suggest me what to do so that i can authenticate my users on the
LAN and also keep and accounting record  for the usage . Their are commercial
versions available in the market doing the same but i want some freeware .

What commercial product do is ..that they have a client exe running on each
machine on which user enters his username and password and that exe talks to
some port no on the gateway where some sort of modified radius sits which does
the user authentication based on the username/password and IP of the user and
the  log is maintained for the usage.


Thanks in Advance

Deepak

Deepak singhal wrote:
> I want to do authentication and accounting for the users on the LAN who 
> use my linux gateway for internet access. My linux box is running redhat 
> 6.2 along with ipchains and masquerading done.
> proxying of squid. I doesn`t know whether PPP over Ethernet can do this  ? 
> Could anyone suggest me what to do so that i can authenticate my users 
> on the LAN and also keep and accounting record  for the usage . Their 
> are commercial versions available in the market doing the same but i 
> want some freeware .
You should take a look at PoPTop http://poptop.lineo.com/

This is a solution for building a VPN Server. You can start PPTP session 
to your gateway with user/password authentication. You can assign 
special IP adresses so you can also do accounting of traffic.

I don''t know how many users you need. It seems that this software is
not
yet tested with more than 50 or 60 users. I am planning to set up a test 
installation with authentication and accounting of about 4000 users 
perhaps using a number of 4 to 8 gateways.

It is based on the PPTP-protocol, which is implemented in Micro$oft 
Windows (VPN-Adapters). There is also a Linux and FreeBSD client avaible.

Because all needed tools are included in MS Windows, it is easy to set 
this up on the client machines with no need of additional software.

-- 
Torge Szczepanek

On Wed, May 09, 2001 at 11:20:54AM +0530, Deepak singhal
wrote:
> Hi All ,
> 
> I may be asking the question to wrong mailing list but still would be
greatful if someone could help me out or refer me to the right mailing list. Now
the question :
> 
> I want to do authentication and accounting for the users on the LAN who use
my linux gateway for internet access. My linux box is running redhat 6.2 along
with ipchains and masquerading done.
> 
> I have tried using squid for authentication but username/password
functionality i.e. authentication but this doen`t work with transparent proxying
of squid. I doesn`t know whether PPP over Ethernet can do this  ?
> 
> Could anyone suggest me what to do so that i can authenticate my users on
the LAN and also keep and accounting record  for the usage . Their are
commercial versions available in the market doing the same but i want some
freeware .
> 
> What commercial product do is ..that they have a client exe running on each
machine on which user enters his username and password and that exe talks to
some port no on the gateway where some sort of modified radius sits which does
the user authentication based on the username/password and IP of the user and
the  log is maintained for the usage.
> 
All you will be able to account on, will be individual computers, not users.
If you want accounting, you''ll need a non-transparent solution.  You
were on
the right direction with squid, but you will _NOT_ find anything that is
transparent and still be able to log based on user.

Mike

Hi ,

I Hope to do this for around 1000 users ... would a single machine be able
to take the load/create VPNs  of around 400 simultaneous users. Does some
other form of authentication/accounting also exists .


Deepak

----- Original Message -----
From: "Torge Szczepanek" <advrouting@szczepanek.de>
To: "Deepak singhal" <dsinghal@spacewayindia.com>;
<lartc@mailman.ds9a.nl>
Sent: Wednesday, May 09, 2001 11:58 AM
Subject: Re: [LARTC] Authetication on LAN

> Deepak singhal wrote:
>
> > I want to do authentication and accounting for the users on the LAN
who
> > use my linux gateway for internet access. My linux box is running
redhat
> > 6.2 along with ipchains and masquerading done.
>
> > proxying of squid. I doesn`t know whether PPP over Ethernet can do
this
?
> > Could anyone suggest me what to do so that i can authenticate my users
> > on the LAN and also keep and accounting record  for the usage . Their
> > are commercial versions available in the market doing the same but i
> > want some freeware .
>
> You should take a look at PoPTop http://poptop.lineo.com/
>
> This is a solution for building a VPN Server. You can start PPTP session
> to your gateway with user/password authentication. You can assign
> special IP adresses so you can also do accounting of traffic.
>
> I don''t know how many users you need. It seems that this software
is not
> yet tested with more than 50 or 60 users. I am planning to set up a test
> installation with authentication and accounting of about 4000 users
> perhaps using a number of 4 to 8 gateways.
>
> It is based on the PPTP-protocol, which is implemented in Micro$oft
> Windows (VPN-Adapters). There is also a Linux and FreeBSD client avaible.
>
> Because all needed tools are included in MS Windows, it is easy to set
> this up on the client machines with no need of additional software.
>
> --
> Torge Szczepanek
>
>

On 09 May 2001 00:11:17 -0700, Mike Fedyk wrote:
> All you will be able to account on, will be individual computers, not
users.
> If you want accounting, you''ll need a non-transparent solution. 
You were on
> the right direction with squid, but you will _NOT_ find anything that is
> transparent and still be able to log based on user.
Not true.

Grab an identd service for Windows that reports the user''s login ID.
Then use Squid''s ident ACLs.

Deepak singhal wrote:
> I Hope to do this for around 1000 users ... would a single machine be able
> to take the load/create VPNs  of around 400 simultaneous users. Does some
> other form of authentication/accounting also exists .
I don''t know. I am going to test this in the next 2 months.

-- 
Torge Szczepanek

On Thu, May 10, 2001 at 10:19:26AM -0400, Michael T. Babcock
wrote:
> On 09 May 2001 00:11:17 -0700, Mike Fedyk wrote:
> 
> > All you will be able to account on, will be individual computers, not
users.
> > If you want accounting, you''ll need a non-transparent
solution.  You were on
> > the right direction with squid, but you will _NOT_ find anything that
is
> > transparent and still be able to log based on user.
> 
> Not true.
> 
> Grab an identd service for Windows that reports the user''s login
ID.
> Then use Squid''s ident ACLs.
This doesn''t account any non http protocols.  On my network, users are
using
ftp, real audio, win media player, legacy aol, aim, icq.

How are you going to account those?

Mike

On 10 May 2001 16:24:23 -0700, Mike Fedyk wrote:
> This doesn''t account any non http protocols.  On my network, users
are using
> ftp, real audio, win media player, legacy aol, aim, icq.
> 
> How are you going to account those?
Anything that runs through Socks4/5 (all of the above) can have per-user
authentication.

On Thu, May 10, 2001 at 09:05:03PM -0400, Michael T. Babcock
wrote:
> On 10 May 2001 16:24:23 -0700, Mike Fedyk wrote:
> > This doesn''t account any non http protocols.  On my network,
users are using
> > ftp, real audio, win media player, legacy aol, aim, icq.
> > 
> > How are you going to account those?
> 
> Anything that runs through Socks4/5 (all of the above) can have per-user
> authentication.
Ahh, but now we are talking about a non-transparent setup.  I want something
where it will work with any TCP/IP device without any setup besides setting
IP and routing.

I''d like to see something that can identify which user is using each
connection, and not need anything more than an identd.  This would enable
access for that ip/port as needed at layer 3/4.

Mike

On 10 May 2001 18:10:43 -0700, Mike Fedyk wrote:
> Ahh, but now we are talking about a non-transparent setup.  I want
something
> where it will work with any TCP/IP device without any setup besides setting
> IP and routing.
> 
> I''d like to see something that can identify which user is using
each
> connection, and not need anything more than an identd.  This would enable
> access for that ip/port as needed at layer 3/4.
I''m not aware of one, but it shouldn''t be too hard to write a
program
that would watch for outgoing connections via netlink (Linux) or some
such device and request ident information about that user before
deciding to allow or deny the request.

One might exist.

On Thu, May 10, 2001 at 09:15:56PM -0400, Michael T. Babcock
wrote:
> On 10 May 2001 18:10:43 -0700, Mike Fedyk wrote:
> > Ahh, but now we are talking about a non-transparent setup.  I want
something
> > where it will work with any TCP/IP device without any setup besides
setting
> > IP and routing.
> > 
> > I''d like to see something that can identify which user is
using each
> > connection, and not need anything more than an identd.  This would
enable
> > access for that ip/port as needed at layer 3/4.
> 
> I''m not aware of one, but it shouldn''t be too hard to
write a program
> that would watch for outgoing connections via netlink (Linux) or some
> such device and request ident information about that user before
> deciding to allow or deny the request.
> 
> One might exist.
What level of programming would it require?  Perl, shell or C?

Mike

On 10 May 2001 at 21:05, Michael T. Babcock wrote:
> Anything that runs through Socks4/5 (all of the above) can have
> per-user authentication.
This is slightly (?) off-topic, so I hope you all won''t mind. Would
anyone
have a good SOCKS 4/5 daemon to recommend for Linux? Hopefully something
that aside from being fast and stable, can handle per-user authentication.

Thanks in advance!

 --> Jijo

---
Linux, MS-DOS, and Windows NT ...
... also known as the Good, the Bad, and the Ugly

That would solve my problem also ..!! If anybody can recommend soks4/5
daemon with per user authentication ..
----- Original Message -----
From: "Federico Sevilla III" <jijo@i-manila.com.ph>
To: "LARTC Mailing List" <lartc@mailman.ds9a.nl>
Sent: Friday, May 11, 2001 3:56 PM
Subject: [LARTC] SOCKS4/5 daemon (was: Authetication on LAN)

> On 10 May 2001 at 21:05, Michael T. Babcock wrote:
> > Anything that runs through Socks4/5 (all of the above) can have
> > per-user authentication.
>
> This is slightly (?) off-topic, so I hope you all won''t mind.
Would anyone
> have a good SOCKS 4/5 daemon to recommend for Linux? Hopefully something
> that aside from being fast and stable, can handle per-user authentication.
>
> Thanks in advance!
>
>  --> Jijo
>
> ---
> Linux, MS-DOS, and Windows NT ...
> ... also known as the Good, the Bad, and the Ugly
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
>

On Fri, 11 May 2001 at 17:48, Deepak singhal wrote:
> That would solve my problem also ..!! If anybody can recommend soks4/5
> daemon with per user authentication ..
I just did a quick search on Freshmeat and from the results it looks like
Dante <http://www.inet.no/dante/> is the choice for those who
don''t fit in
NEC''s "free for non-commercial use" license. Supposedly Dante
has
username/password authentication for Socks5 support in place.

Has anyone tried Dante out? Perhaps someone could help and let us know if
it''s any good, or maybe if there''s another program out there
that might
work better.

Thanks in advance. :)

 --> Jijo

---
Linux, MS-DOS, and Windows NT ...
... also known as the Good, the Bad, and the Ugly

I use Dante on three clients'' networks as well as my own and it works
very
well.  Subscribe to their announcements list as they make new releases
whenever they make (minor/bug fix) enhancements.

Configuration is simple, but not all Socks compliant software supports
authentication.  Dante''s configuration allows for multiple sets of
allow/deny ACLs to cover all the possibilities.
> I just did a quick search on Freshmeat and from the results it looks like
> Dante <http://www.inet.no/dante/> is the choice for those who
don''t fit in
> NEC''s "free for non-commercial use" license. Supposedly
Dante has
> username/password authentication for Socks5 support in place.
>
> Has anyone tried Dante out? Perhaps someone could help and let us know if
> it''s any good, or maybe if there''s another program out
there that might
> work better.

On Fri, 11 May 2001 17:48:07 +0530, you wrote:
>That would solve my problem also ..!! If anybody can recommend soks4/5
>daemon with per user authentication ..
 - www.socks.nec.com
- dante (I''m offline now, cannot check it): www.dante.com  ? 

 Anyway, use google.com....

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-    ** RoMaN SoFt / LLFB **  
       roman@madrid.com
   http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > I''m not aware of one, but it shouldn''t be too hard
to write a program
> > that would watch for outgoing connections via netlink (Linux) or some
> > such device and request ident information about that user before
> > deciding to allow or deny the request.
> > 
> > One might exist.
> 
> What level of programming would it require?  Perl, shell or C?
Perl or C depending on the speed of your connection and your CPU
horsepower (as every packet or packet header would be inspected).

On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock
wrote:
> On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > > I''m not aware of one, but it shouldn''t be too
hard to write a program
> > > that would watch for outgoing connections via netlink (Linux) or
some
> > > such device and request ident information about that user before
> > > deciding to allow or deny the request.
> > > 
> > > One might exist.
> > 
> > What level of programming would it require?  Perl, shell or C?
> 
> Perl or C depending on the speed of your connection and your CPU
> horsepower (as every packet or packet header would be inspected).
Isn''t there a way to only look at packets that would be blocked by the
filters only?  This would alleviate much of the burden on the processor for
even a C program.

On Sun, May 13, 2001 at 06:13:03PM -0700, Mike Fedyk wrote:
> On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote:
> > On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > > > I''m not aware of one, but it shouldn''t be
too hard to write a program
> > > > that would watch for outgoing connections via netlink
(Linux) or some
> > > > such device and request ident information about that user
before
> > > > deciding to allow or deny the request.
> > > > 
> > > > One might exist.
> > > 
> > > What level of programming would it require?  Perl, shell or C?
> > 
> > Perl or C depending on the speed of your connection and your CPU
> > horsepower (as every packet or packet header would be inspected).
> 
> Isn''t there a way to only look at packets that would be blocked by
the
> filters only?  This would alleviate much of the burden on the processor for
> even a C program.
I believe that you can use QUEUE target of netfilter to check packets in the
userland selectively.

Ramin

On Sun, May 13, 2001 at 09:25:20PM -0400, Ramin Alidousti
wrote:
> On Sun, May 13, 2001 at 06:13:03PM -0700, Mike Fedyk wrote:
> 
> > On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote:
> > > On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:
> > > > > I''m not aware of one, but it
shouldn''t be too hard to write a program
> > > > > that would watch for outgoing connections via netlink
(Linux) or some
> > > > > such device and request ident information about that
user before
> > > > > deciding to allow or deny the request.
> > > > > 
> > > > > One might exist.
> > > > 
> > > > What level of programming would it require?  Perl, shell or
C?
> > > 
> > > Perl or C depending on the speed of your connection and your CPU
> > > horsepower (as every packet or packet header would be inspected).
> > 
> > Isn''t there a way to only look at packets that would be
blocked by the
> > filters only?  This would alleviate much of the burden on the
processor for
> > even a C program.
> 
> I believe that you can use QUEUE target of netfilter to check packets in
the
> userland selectively.
> 
> Ramin
I think I saw something in 2.2 that will do that too, don''t know the
interface though...