Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 May 2003 12:45:09 +0200
From:      Martin Jessa <yazzy@ezunix.org>
To:        Terje Elde <terje@elde.org>, freebsd-isp@freebsd.org
Subject:   Re: Radius auth
Message-ID:  <20030523124509.62b6877b.yazzy@ezunix.org>
In-Reply-To: <20030523081947.GA13160@tiger.thinksec.no>
References:  <20030522134727.1adb7463.yazzy@ezunix.org> <20030523081947.GA13160@tiger.thinksec.no>

next in thread | previous in thread | raw e-mail | index | archive | help
Hei Terje.

Yes, it seems like our setups are pretty similar.
I use FreeBSD 5.0 with mpd creating pptp vlan tunnels with both 40 and 128 bit encryption.
I allowed 40 bit encryption since some of our WLAN users still use Windows 9x which doesnt support any sane form for data protection...
I have a few IP-zones connected to a main server with mpd running on it. Some of the zones need to talk to AP's inbetween them and the main server becouse of the mountainous terrain.
I dont have any WEP encryption enabled since it's a joke and would just slow down the traffic. I am relying on what the security of the vpn tunnels can provide.
The main server acts as DHCPd, DNS, mail rely and firewall/gateway.
As it is now, users have their usernames and passwords stored in text files.
The windows clients create a "plain" pptp vpn tunnel to the main server.
The simplicity of the setup is one of the main issues. 
I didnt do any particular tweaking on the server.
The maxuser is set to 64, no custom sysctl settings.
The value of mbuf clusters never goes insane.
I have 100 ng devices set up for usage but the clients do not seem to use more then 10 at a time.
The performance seems to be ok, I am getting 2.4 mbit on each of the nodes which is what the SDSL INET link uses.

What I really need to figure out now is how to enable bw throttling based on the users's usernames. So some of the users could get say 128 kbit and some 1 mbit without reconfiguring of the DUMMYNET or ALTQ settings manually for each of the users. This is also pretty impossible since IP's of the users are handed out by our DHCP server and static IP allocation can be only done knowing MAC-addresses of the client cards, which too may change.
I am open to use any *NIX to make it work or any hardware sollution as long as it's not windows based (as long as it works without periodic reboots).

Feel free to contact me any time Terje.

mvh,
Martin

:)

On Fri, 23 May 2003 10:19:47 +0200
Terje Elde <terje@elde.org> wrote:

> On Thu, May 22, 2003 at 01:47:27PM +0200, Martin Jessa wrote:
> > My question may seem to be a bit off the list but I know that people here have both experience and knowledge to help me out.
> > I have Soekris boxes placed different places to serve WLAN access.
> > All of them are connected to a main FreeBSD server with mpd to create vpn tunnels and authenticate users also acting as router and firewall/gateway.
> > I would like to have a central controll center where I could add new accounts, check the account status, give the users certain bandtwith based on their username and possibly handle billing. Maybe with SQL or LDAP backend.
> > The best way would be to have all that enabled via web based interface.
> > Is there any Radius setup supporting it ?
> 
> Hi,
> 
> I'm doing this at my work.  We're using mpd, with PPTP from windows clients.
> On the authentication side, we've set up MS-CHAPv2, so we get MPPE 128-bit
> stateless encryption to the clients.
> 
> We're storing the username/password combos in a PostgreSQL database, and we're
> using FreeRadius for authenticating against it.  It works really well, and
> once it's up and running, it runs pretty smooth.
> 
> I should note that I think the FreeRadius in ports is a bit out of date, and
> the learning curve can be steep.
> 
> 
> Let me know if you want any help with this.
> 
> 
> I'm a bit curious about your mpd setup.  I've been experiencing that when
> using mpd and pptp over wireless, I get a crawling performance, and somewhere
> in the FreeBSD tcp/ip stack I end up runnign out of buffers.  Have you had any
> problems with this?
> 
> 
> Since we're runnign so similar setups, would you mind if I take note of your
> email for future reference?
> 
> Hope this helps,
> Terje
> -- 
> email:   terje@ipzone.biz   mobil: +47 40 83 10 24
> telefon: +47 67 55 04 00    fax:   +47 67 55 04 01



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030523124509.62b6877b.yazzy>