> We have a situation where we have trusted IP addresses and non-trusted IP
> addresses to certain resources. We want to be able to have these people be
> able to dial in to any of our PM3's accross the network. We also don't want
> to block the non-trusted users from hitting the resources by loading a
> filter, as the resources can change daily at times and would make
> maintaining it a real chore. We also can't load static IP's for the trusted
> users as there are over 1,500 of them, not a real good use of IP addresses.
>
> What we are hoping we can do is assign a class "C" address block to the
> trusted list and then only assign IP's from that pool to the trusted users
> and still assign IP's from the other blocks to the non-trusted users. The
> question is in a nut shell is can we assign IP addresses dynamically from
> two different pools of numbers? Or is there some other way to do what we
> are trying to do without setting up seperate modem pools?
There are a couple ways I can think of to do this. One would involve some
ugly hacking to the RADIUS daemon... You could have two (or more) DEFAULT
entries with a "Group" check-item. Place the trusted users into a Unix
group called "trusted", then have that RADIUS entry assign them an IP
address from the protected pool. The former you can do without any
modifications, the latter you would have to modify the RADIUS daemon to do
the IP address assignment "dynamically" (in this model, the PM would think
it was a static IP because normally it handles the IP assignment and the
only time it would get an IP from RADIUS is if it was for a static
IP--here you are simply giving the entire job of IP assignment to the
RADIUS server).
The second solution, a better one if it will work for you, would be to use
our ChoiceNet implementation to assign dynamic filters to users. You
didn't really define what you mean by "trusted IP addresses"...if you
could use filters to do it now (other then the fact that the users have
dynamic IP addresses), then this would allow you to do it regardless of
what IP the user gets assigned. If you instead mean "trusted IP
addresses" by ones that are allowed through a firewall, not limited by a
.htaccess file for your web server, allowed via hosts.allow/deny using
TCPWrap or similar--then ChoiceNet may not work without some major
redesign of your security enforcement structure. In that case, the first
answer will work.
The first one is not really all that hard to implement--I just think it
isn't "clean"...but I can't claim to be innocent of it completely,
either.. ;) There are some third-party bits of code I know that are around
that can help you with the RADIUS IP assignment portion. You don't have
to worry about the Group stuff--that is in the latest RADIUS daemon
(2.0.1).
Good luck.
my $0.02 + $0.50.. ;)
>
> Any help would be greatly appreciated,
>
> Jeff Richardson
> Internet Manager
> Burgoyne Computers
----
Josh Richards - <jrichard@livingston.com>
Beta Engineer
Lucent Technologies (Remote Access Business Unit)
(previously Livingston Enterprises, Inc.)
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.