From owner-freebsd-isp  Thu Nov  6 23:07:59 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id XAA14944
          for isp-outgoing; Thu, 6 Nov 1997 23:07:59 -0800 (PST)
          (envelope-from owner-freebsd-isp)
Received: from freight.msn.bc.ca (pc-21656.bc.rogers.wave.ca [24.112.126.7])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA14930
          for <freebsd-isp@FreeBSD.ORG>; Thu, 6 Nov 1997 23:07:46 -0800 (PST)
          (envelope-from webmaster@nwss.sd40.bc.ca)
Received: from [24.112.126.210] (lc575.msn.bc.ca [24.112.126.210])
	by freight.msn.bc.ca (8.8.7/8.8.7) with ESMTP id XAA00380;
	Thu, 6 Nov 1997 23:09:58 -0800 (PST)
	(envelope-from webmaster@nwss.sd40.bc.ca)
X-Sender: bpepa@msn.bc.ca
Message-Id: <l03110704b0887b8d3976@[24.112.126.210]>
In-Reply-To: <Pine.BSF.3.95q.971107131922.485A-100000@student.unpar.ac.id>
References: <345E51BB.5739DD57@cbiowa.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 7 Nov 1997 00:11:38 -0800
To: Brian Weber <brian@cbiowa.com>
From: Ben Pepa <webmaster@nwss.sd40.bc.ca>
Subject: Re: User name authentication through firewalls
Cc: freebsd-isp@FreeBSD.ORG
Sender: owner-freebsd-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> Here is what I am up against.  I am asked to install a firewall that
> will allow traffice on different ports.  So far pretty standard.  They
> want that access given through user name not ip address.  That is were
> the problem is.  I have been told that NT can do this through there
> proxy server.  Is this possible through freebsd or linux or should I
> just go with the nt solution.
> 	Please tell me there is a way to make unix do this!!!!
>

What I had implemented for our high school lan was to use my FreeBSD box as
a gateway using ipfw and natd.  The clients were Novell & Macintosh
computers running Netscape.  Netscape would boot to a user login screen.
They would submit their login name & password to the local server (as local
packets didn't need exterior routing - our intranet).  It would then, if
authenticated, add a route from the client machine so they could get onto
the internet.

And, I set the server to logoff clients after 30 minutes using crontab (by
flushing the ipfw rules).  This limited students to 30 minutes per login.

Ben