Date: Fri, 17 Feb 2006 23:03:18 +0300 From: Odhiambo Washington <wash@wananchi.com> To: freebsd-isp@freebsd.org Subject: Re: walled garden concept Message-ID: <20060217200318.GC10377@ns2.wananchi.com> In-Reply-To: <d20e2c140602170907w11ff00dag@mail.gmail.com> References: <20060217162927.GA23261@ns2.wananchi.com> <d20e2c140602170907w11ff00dag@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* On 17/02/06 17:07 +0000, Siraj 'Sid' Rakhada wrote:
> Hello Wash,
>
> On 17/02/06, Odhiambo Washington <wash@wananchi.com> wrote:
>
> > Does anyone know of any tutorials for setting up a "walled garden"?
> > I work for an ISP and we'd like to allow a specific dialup account
> > Free Access via our RADIUS, but we want to limit this user to access
> > just three or so urls: Our customer {registration|renewal|webselfcare}
> > interfaces only.
> >
> > I am looking for ideas on how this is done. I suppose it's done on the
> > NAS, yes?
>
> What equipment do you use for the dial-up end? I'm not sure how to do
> this on FreeBSD per se, but you can do this kind of solution on Cisco
> + RADIUS by sending an av-pair which says to the Cisco 'apply this
> access-list' to the virtual interface when the user logs on.
>
> Does this sound like the kind of solution you want?
>
> It's been a long long time since I last configured this kind of thing though!
That is like what I want, though I am not any familiar with what it is
that I want ;-)
Let me expound:
I simply have three sites: http://{site2|site2|site3}.ourdomain.name
We use Cisco eqpt for NAS, and a RADIUS server. site1, site2 and site3
are meant to allow customers to register for, renew or manage the
service they have purchased from us. A customer only gets a card that
has a serial number and a PIN from our system. This allows them to sign
up for or renew a service they already have. The last site allows then
the luxury to manage the service.
I am foreseeing a situation where I have a new 'customer' or one whose
service expired. I want these two to be able to dialin to my NASes for
free, but only get access to site1, site2 or site3. Everything else is
blocked, until they dialin with the name they are paying for. I will
give them a common userid/passwd pair for this purpose.
Now what I learnt was that the concept is called "walled garden".
Your instructions (or Read This F Manual) to do this are welcome.
PS: I have rcvd some pointers off list, but I need more ideas, really.
TIA
-Wash
http://www.netmeister.org/news/learn2quote.html
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--
+======================================================================+
|\ _,,,---,,_ | Odhiambo Washington <wash@wananchi.com>
Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com
|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922
'---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121
+======================================================================+
"I cannot and will not cut my conscience to fit this year's fashions."
-- Lillian Hellman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060217200318.GC10377>