(usr-tc) Special user groups under HiperArc
Is there a way to have the HiperArc "segregate" deal with a special group of users, so that all it allows them to do is httpd services? THe reason for asking is, that AOL is not a local dialup for people in this area and they "piggyback" us to get to AOL via the Internet. What I would like to do is assign then a user ID like aolusername and then have the HiperArcs "filter" the accounts with the aol PREFIX and then only allow the connection to AOL. I do not want them to have access to pop, ftp or news on our network at all since we are providing the dialup for AOL. Does any of this make any sense ? Would like any comments and/or suggestions on how we might handle this. Thanks again! ============================================================================== Phillip Ferraro WorldNet Access, Inc pferraro@wna-linknet.com Onslow County's PREMIER InterNet Service Voice (910) 346-0835 824 Gumbranch Square, Suite Q FAX (910) 455-1933 Jacksonville, Nc 28540-6269 ============================================================================== - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
On Mon, 31 Jul 2000 pferraro@wna-linknet.com wrote:
Is there a way to have the HiperArc "segregate" deal with a special group of users, so that all it allows them to do is httpd services?
Yes... It's totally possible. Since we use radiator as our radius server (http://www.open.com.au/radiator/), I'll use that as an example. You would define a filter on all your arcs that only allows access to the "AOL port" (see webmaster.aol.com for details on how AOL works) and give it a name such as "aolfilter". You could then mark all of these users as AOL users in whatever authentication scheme you use as AOL users (the simplest example would be making a unix group called "aoluser"). Radiator, and likely other radius servers, could then have a rule that states "if a user logs in and is in group 'aoluser', send a filter-id in this request for 'aolfilter'". That's it in a nutshell. The arcs allow filters on a per user basis to be set in radius replies... Charles
THe reason for asking is, that AOL is not a local dialup for people in this area and they "piggyback" us to get to AOL via the Internet.
What I would like to do is assign then a user ID like aolusername and then have the HiperArcs "filter" the accounts with the aol PREFIX and then only allow the connection to AOL. I do not want them to have access to pop, ftp or news on our network at all since we are providing the dialup for AOL.
Does any of this make any sense ? Would like any comments and/or suggestions on how we might handle this.
Thanks again!
============================================================================== Phillip Ferraro WorldNet Access, Inc pferraro@wna-linknet.com Onslow County's PREMIER InterNet Service Voice (910) 346-0835 824 Gumbranch Square, Suite Q FAX (910) 455-1933 Jacksonville, Nc 28540-6269 ==============================================================================
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
I am looking for a good filter to place on our HUBS (HiperArcs) to block a particular usergroup from access to OUR standard services ie. telnet, pop, smtp, dns, nntp. I am not that familiar with filters, but have been reading several examples to include a few 3Com ones, however they are a little vague! I would assume that since the dialup group will use tcp port 5190, that I can effectively block everything else here. I want to assign the Filter-Id in my radius users file. I would also need to know how to "Globally" apply the filter to all modem slots so that I would not have to do it to each individual slot. I can use a little help here... Any comments/samples appreciated ============================================================================== Phillip Ferraro WorldNet Access, Inc pferraro@wna-linknet.com Onslow County's PREMIER InterNet Service Voice (910) 346-0835 824 Gumbranch Square, Suite Q FAX (910) 455-1933 Jacksonville, Nc 28540-6269 ============================================================================== On Mon, 31 Jul 2000, Charles Sprickman wrote:
On Mon, 31 Jul 2000 pferraro@wna-linknet.com wrote:
Is there a way to have the HiperArc "segregate" deal with a special group of users, so that all it allows them to do is httpd services?
Yes... It's totally possible. Since we use radiator as our radius server (http://www.open.com.au/radiator/), I'll use that as an example. You would define a filter on all your arcs that only allows access to the "AOL port" (see webmaster.aol.com for details on how AOL works) and give it a name such as "aolfilter". You could then mark all of these users as AOL users in whatever authentication scheme you use as AOL users (the simplest example would be making a unix group called "aoluser"). Radiator, and likely other radius servers, could then have a rule that states "if a user logs in and is in group 'aoluser', send a filter-id in this request for 'aolfilter'".
That's it in a nutshell. The arcs allow filters on a per user basis to be set in radius replies...
Charles
THe reason for asking is, that AOL is not a local dialup for people in this area and they "piggyback" us to get to AOL via the Internet.
What I would like to do is assign then a user ID like aolusername and then have the HiperArcs "filter" the accounts with the aol PREFIX and then only allow the connection to AOL. I do not want them to have access to pop, ftp or news on our network at all since we are providing the dialup for AOL.
Does any of this make any sense ? Would like any comments and/or suggestions on how we might handle this.
Thanks again!
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
participants (2)
-
Charles Sprickman -
pferraro@wna-linknet.com