1

I have two routers, let's call it as A and B.

The primary idea is to B clients need be authenticated to access internet.

The A is connected to the internet.

The B is physically connected to A (B WAN interface to A LAN interface).

A LAN IP: 128.0.0.1/24

B WAN IP: 128.0.0.2

B LAN IP: 10.0.0.1/24

The FreeRadius server is connected to A and has the IP 128.0.0.10.

So what i thought was to set the B gateway to 128.0.0.10.

The problem now is how do i setup the server as FreeRadius client that prohibits unauthenticated users from accessing the internet.

I'd like to have client as web client (FreeRadius's apache module?)

Victor Aurélio
  • 61
  • 5
  • Let me see if I understand your idea: you want to have a separate network where hosts can reach Internet only after authentication. That authentication should happen via the browser. The credentials for who can access the internet are centralized on a server, that must be located outside this "untrusted" network. Does that describe your need? – Pablo Jun 24 '17 at 15:16
  • Yeah, you get the idea. – Victor Aurélio Jun 24 '17 at 15:20
  • 1
    Do you mind if I edit the question? You are using the term NAS (which usually means "Network Attached Storage", a way to name a single purpose device that offers storage accesible through one or several network protocols) and I think you mean an authenticating proxy. At the same time, FreeRadius is a server software that provides authentication using the RADIUS protocol to devices like Access Servers, wireless access points and other network elements where clients provide credentials to log in. The edit would be to make the proposed answer useful to others seeking the same. – Pablo Jun 25 '17 at 00:03
  • @Pablo you can edit if you want, the NAS term i used stand for [Network Access Server](https://wiki.freeradius.org/glossary/NAS). – Victor Aurélio Jun 25 '17 at 16:37
  • "The problem now is how do i setup the server as FreeRadius client that prohibits unauthenticated users from accessing the internet." Here is the hint for you - "MAC address". – Danila Ladner Jun 26 '17 at 12:50
  • The B clients should be authenticated by 802.11x authentication (that supports radius authentication). It isn't done via browser, and it deny users also the access to the local network. – Giorgio Marziani de Paolis Jun 28 '17 at 08:21
  • @GiorgioMarziani the B router does not support it. and I personally like the login pages like those in high college. – Victor Aurélio Jun 28 '17 at 15:48
  • @VictorAurélio what about to setup an http proxy with radius authentication? – Giorgio Marziani de Paolis Jun 28 '17 at 15:52
  • If all is done in the network (A, B, and Server) ok, if it requires user to setup it in him devices is not what I want. – Victor Aurélio Jun 28 '17 at 16:22

0 Answers0