Hi All , I may be asking the question to wrong mailing list but still would be greatful if someone could help me out or refer me to the right mailing list. Now the question : I want to do authentication and accounting for the users on the LAN who use my linux gateway for internet access. My linux box is running redhat 6.2 along with ipchains and masquerading done. I have tried using squid for authentication but username/password functionality i.e. authentication but this doen`t work with transparent proxying of squid. I doesn`t know whether PPP over Ethernet can do this ? Could anyone suggest me what to do so that i can authenticate my users on the LAN and also keep and accounting record for the usage . Their are commercial versions available in the market doing the same but i want some freeware . What commercial product do is ..that they have a client exe running on each machine on which user enters his username and password and that exe talks to some port no on the gateway where some sort of modified radius sits which does the user authentication based on the username/password and IP of the user and the log is maintained for the usage. Thanks in Advance Deepak
Deepak singhal wrote:> I want to do authentication and accounting for the users on the LAN who > use my linux gateway for internet access. My linux box is running redhat > 6.2 along with ipchains and masquerading done.> proxying of squid. I doesn`t know whether PPP over Ethernet can do this ? > Could anyone suggest me what to do so that i can authenticate my users > on the LAN and also keep and accounting record for the usage . Their > are commercial versions available in the market doing the same but i > want some freeware .You should take a look at PoPTop http://poptop.lineo.com/ This is a solution for building a VPN Server. You can start PPTP session to your gateway with user/password authentication. You can assign special IP adresses so you can also do accounting of traffic. I don''t know how many users you need. It seems that this software is not yet tested with more than 50 or 60 users. I am planning to set up a test installation with authentication and accounting of about 4000 users perhaps using a number of 4 to 8 gateways. It is based on the PPTP-protocol, which is implemented in Micro$oft Windows (VPN-Adapters). There is also a Linux and FreeBSD client avaible. Because all needed tools are included in MS Windows, it is easy to set this up on the client machines with no need of additional software. -- Torge Szczepanek
On Wed, May 09, 2001 at 11:20:54AM +0530, Deepak singhal wrote:> Hi All , > > I may be asking the question to wrong mailing list but still would be greatful if someone could help me out or refer me to the right mailing list. Now the question : > > I want to do authentication and accounting for the users on the LAN who use my linux gateway for internet access. My linux box is running redhat 6.2 along with ipchains and masquerading done. > > I have tried using squid for authentication but username/password functionality i.e. authentication but this doen`t work with transparent proxying of squid. I doesn`t know whether PPP over Ethernet can do this ? > > Could anyone suggest me what to do so that i can authenticate my users on the LAN and also keep and accounting record for the usage . Their are commercial versions available in the market doing the same but i want some freeware . > > What commercial product do is ..that they have a client exe running on each machine on which user enters his username and password and that exe talks to some port no on the gateway where some sort of modified radius sits which does the user authentication based on the username/password and IP of the user and the log is maintained for the usage. >All you will be able to account on, will be individual computers, not users. If you want accounting, you''ll need a non-transparent solution. You were on the right direction with squid, but you will _NOT_ find anything that is transparent and still be able to log based on user. Mike
Hi , I Hope to do this for around 1000 users ... would a single machine be able to take the load/create VPNs of around 400 simultaneous users. Does some other form of authentication/accounting also exists . Deepak ----- Original Message ----- From: "Torge Szczepanek" <advrouting@szczepanek.de> To: "Deepak singhal" <dsinghal@spacewayindia.com>; <lartc@mailman.ds9a.nl> Sent: Wednesday, May 09, 2001 11:58 AM Subject: Re: [LARTC] Authetication on LAN> Deepak singhal wrote: > > > I want to do authentication and accounting for the users on the LAN who > > use my linux gateway for internet access. My linux box is running redhat > > 6.2 along with ipchains and masquerading done. > > > proxying of squid. I doesn`t know whether PPP over Ethernet can do this?> > Could anyone suggest me what to do so that i can authenticate my users > > on the LAN and also keep and accounting record for the usage . Their > > are commercial versions available in the market doing the same but i > > want some freeware . > > You should take a look at PoPTop http://poptop.lineo.com/ > > This is a solution for building a VPN Server. You can start PPTP session > to your gateway with user/password authentication. You can assign > special IP adresses so you can also do accounting of traffic. > > I don''t know how many users you need. It seems that this software is not > yet tested with more than 50 or 60 users. I am planning to set up a test > installation with authentication and accounting of about 4000 users > perhaps using a number of 4 to 8 gateways. > > It is based on the PPTP-protocol, which is implemented in Micro$oft > Windows (VPN-Adapters). There is also a Linux and FreeBSD client avaible. > > Because all needed tools are included in MS Windows, it is easy to set > this up on the client machines with no need of additional software. > > -- > Torge Szczepanek > >
On 09 May 2001 00:11:17 -0700, Mike Fedyk wrote:> All you will be able to account on, will be individual computers, not users. > If you want accounting, you''ll need a non-transparent solution. You were on > the right direction with squid, but you will _NOT_ find anything that is > transparent and still be able to log based on user.Not true. Grab an identd service for Windows that reports the user''s login ID. Then use Squid''s ident ACLs.
Deepak singhal wrote:> I Hope to do this for around 1000 users ... would a single machine be able > to take the load/create VPNs of around 400 simultaneous users. Does some > other form of authentication/accounting also exists .I don''t know. I am going to test this in the next 2 months. -- Torge Szczepanek
On Thu, May 10, 2001 at 10:19:26AM -0400, Michael T. Babcock wrote:> On 09 May 2001 00:11:17 -0700, Mike Fedyk wrote: > > > All you will be able to account on, will be individual computers, not users. > > If you want accounting, you''ll need a non-transparent solution. You were on > > the right direction with squid, but you will _NOT_ find anything that is > > transparent and still be able to log based on user. > > Not true. > > Grab an identd service for Windows that reports the user''s login ID. > Then use Squid''s ident ACLs.This doesn''t account any non http protocols. On my network, users are using ftp, real audio, win media player, legacy aol, aim, icq. How are you going to account those? Mike
On 10 May 2001 16:24:23 -0700, Mike Fedyk wrote:> This doesn''t account any non http protocols. On my network, users are using > ftp, real audio, win media player, legacy aol, aim, icq. > > How are you going to account those?Anything that runs through Socks4/5 (all of the above) can have per-user authentication.
On Thu, May 10, 2001 at 09:05:03PM -0400, Michael T. Babcock wrote:> On 10 May 2001 16:24:23 -0700, Mike Fedyk wrote: > > This doesn''t account any non http protocols. On my network, users are using > > ftp, real audio, win media player, legacy aol, aim, icq. > > > > How are you going to account those? > > Anything that runs through Socks4/5 (all of the above) can have per-user > authentication.Ahh, but now we are talking about a non-transparent setup. I want something where it will work with any TCP/IP device without any setup besides setting IP and routing. I''d like to see something that can identify which user is using each connection, and not need anything more than an identd. This would enable access for that ip/port as needed at layer 3/4. Mike
On 10 May 2001 18:10:43 -0700, Mike Fedyk wrote:> Ahh, but now we are talking about a non-transparent setup. I want something > where it will work with any TCP/IP device without any setup besides setting > IP and routing. > > I''d like to see something that can identify which user is using each > connection, and not need anything more than an identd. This would enable > access for that ip/port as needed at layer 3/4.I''m not aware of one, but it shouldn''t be too hard to write a program that would watch for outgoing connections via netlink (Linux) or some such device and request ident information about that user before deciding to allow or deny the request. One might exist.
On Thu, May 10, 2001 at 09:15:56PM -0400, Michael T. Babcock wrote:> On 10 May 2001 18:10:43 -0700, Mike Fedyk wrote: > > Ahh, but now we are talking about a non-transparent setup. I want something > > where it will work with any TCP/IP device without any setup besides setting > > IP and routing. > > > > I''d like to see something that can identify which user is using each > > connection, and not need anything more than an identd. This would enable > > access for that ip/port as needed at layer 3/4. > > I''m not aware of one, but it shouldn''t be too hard to write a program > that would watch for outgoing connections via netlink (Linux) or some > such device and request ident information about that user before > deciding to allow or deny the request. > > One might exist.What level of programming would it require? Perl, shell or C? Mike
On 10 May 2001 at 21:05, Michael T. Babcock wrote:> Anything that runs through Socks4/5 (all of the above) can have > per-user authentication.This is slightly (?) off-topic, so I hope you all won''t mind. Would anyone have a good SOCKS 4/5 daemon to recommend for Linux? Hopefully something that aside from being fast and stable, can handle per-user authentication. Thanks in advance! --> Jijo --- Linux, MS-DOS, and Windows NT ... ... also known as the Good, the Bad, and the Ugly
That would solve my problem also ..!! If anybody can recommend soks4/5 daemon with per user authentication .. ----- Original Message ----- From: "Federico Sevilla III" <jijo@i-manila.com.ph> To: "LARTC Mailing List" <lartc@mailman.ds9a.nl> Sent: Friday, May 11, 2001 3:56 PM Subject: [LARTC] SOCKS4/5 daemon (was: Authetication on LAN)> On 10 May 2001 at 21:05, Michael T. Babcock wrote: > > Anything that runs through Socks4/5 (all of the above) can have > > per-user authentication. > > This is slightly (?) off-topic, so I hope you all won''t mind. Would anyone > have a good SOCKS 4/5 daemon to recommend for Linux? Hopefully something > that aside from being fast and stable, can handle per-user authentication. > > Thanks in advance! > > --> Jijo > > --- > Linux, MS-DOS, and Windows NT ... > ... also known as the Good, the Bad, and the Ugly > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:http://ds9a.nl/2.4Routing/>
Federico Sevilla III
2001-May-11 12:44 UTC
Re: SOCKS4/5 daemon (was: Authetication on LAN)
On Fri, 11 May 2001 at 17:48, Deepak singhal wrote:> That would solve my problem also ..!! If anybody can recommend soks4/5 > daemon with per user authentication ..I just did a quick search on Freshmeat and from the results it looks like Dante <http://www.inet.no/dante/> is the choice for those who don''t fit in NEC''s "free for non-commercial use" license. Supposedly Dante has username/password authentication for Socks5 support in place. Has anyone tried Dante out? Perhaps someone could help and let us know if it''s any good, or maybe if there''s another program out there that might work better. Thanks in advance. :) --> Jijo --- Linux, MS-DOS, and Windows NT ... ... also known as the Good, the Bad, and the Ugly
I use Dante on three clients'' networks as well as my own and it works very well. Subscribe to their announcements list as they make new releases whenever they make (minor/bug fix) enhancements. Configuration is simple, but not all Socks compliant software supports authentication. Dante''s configuration allows for multiple sets of allow/deny ACLs to cover all the possibilities.> I just did a quick search on Freshmeat and from the results it looks like > Dante <http://www.inet.no/dante/> is the choice for those who don''t fit in > NEC''s "free for non-commercial use" license. Supposedly Dante has > username/password authentication for Socks5 support in place. > > Has anyone tried Dante out? Perhaps someone could help and let us know if > it''s any good, or maybe if there''s another program out there that might > work better.
On Fri, 11 May 2001 17:48:07 +0530, you wrote:>That would solve my problem also ..!! If anybody can recommend soks4/5 >daemon with per user authentication ..- www.socks.nec.com - dante (I''m offline now, cannot check it): www.dante.com ? Anyway, use google.com.... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote:> > I''m not aware of one, but it shouldn''t be too hard to write a program > > that would watch for outgoing connections via netlink (Linux) or some > > such device and request ident information about that user before > > deciding to allow or deny the request. > > > > One might exist. > > What level of programming would it require? Perl, shell or C?Perl or C depending on the speed of your connection and your CPU horsepower (as every packet or packet header would be inspected).
On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote:> On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote: > > > I''m not aware of one, but it shouldn''t be too hard to write a program > > > that would watch for outgoing connections via netlink (Linux) or some > > > such device and request ident information about that user before > > > deciding to allow or deny the request. > > > > > > One might exist. > > > > What level of programming would it require? Perl, shell or C? > > Perl or C depending on the speed of your connection and your CPU > horsepower (as every packet or packet header would be inspected).Isn''t there a way to only look at packets that would be blocked by the filters only? This would alleviate much of the burden on the processor for even a C program.
On Sun, May 13, 2001 at 06:13:03PM -0700, Mike Fedyk wrote:> On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote: > > On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote: > > > > I''m not aware of one, but it shouldn''t be too hard to write a program > > > > that would watch for outgoing connections via netlink (Linux) or some > > > > such device and request ident information about that user before > > > > deciding to allow or deny the request. > > > > > > > > One might exist. > > > > > > What level of programming would it require? Perl, shell or C? > > > > Perl or C depending on the speed of your connection and your CPU > > horsepower (as every packet or packet header would be inspected). > > Isn''t there a way to only look at packets that would be blocked by the > filters only? This would alleviate much of the burden on the processor for > even a C program.I believe that you can use QUEUE target of netfilter to check packets in the userland selectively. Ramin
On Sun, May 13, 2001 at 09:25:20PM -0400, Ramin Alidousti wrote:> On Sun, May 13, 2001 at 06:13:03PM -0700, Mike Fedyk wrote: > > > On Sun, May 13, 2001 at 08:41:15PM -0400, Michael T. Babcock wrote: > > > On 10 May 2001 18:24:18 -0700, Mike Fedyk wrote: > > > > > I''m not aware of one, but it shouldn''t be too hard to write a program > > > > > that would watch for outgoing connections via netlink (Linux) or some > > > > > such device and request ident information about that user before > > > > > deciding to allow or deny the request. > > > > > > > > > > One might exist. > > > > > > > > What level of programming would it require? Perl, shell or C? > > > > > > Perl or C depending on the speed of your connection and your CPU > > > horsepower (as every packet or packet header would be inspected). > > > > Isn''t there a way to only look at packets that would be blocked by the > > filters only? This would alleviate much of the burden on the processor for > > even a C program. > > I believe that you can use QUEUE target of netfilter to check packets in the > userland selectively. > > RaminI think I saw something in 2.2 that will do that too, don''t know the interface though...