multiple wireless networks - one vpn authentication database

xpunkrockryanx

Like the subject suggests, I'm hoping to set up some wireless networks in multiple locations (about 10 different coffee shops) where users could log on to a VPN server with one username/pass regardless of which of the 10 shops they were at and have access to the internet.

I've considered two different possibilities about how to achieve this. The first would be to have a VPN server at each shop which would then access a centralized authentication server when the user logged on. The second would be to have one centralized VPN server that the user would log on to (located at the ISP), and each location would have a firewall device that would accept only traffic that was VPN traffic from the VPN server, and drop all other traffic, thus forcing the user to log in to the VPN server to get any kind of internet access.

I'm expecting to use Gentoo boxes in either scenario, and FreeS/WAN for the VPN service. I haven't set up FreeS/WAN before, but I think I have a fairly good grasp on how the technology works, and would be able to set it up after reading some documentation. There's even a good article in Linux Journal magazine in the January and February issues that I was planning on reading. My main concern is using a centralized authentication server, something like a RADIUS server. I have absolutely no experience with any of these. I think I'd probably like to use one regardless of how I have the VPN set up, rather than having to set up a lot of user accounts on the actual VPN server itself. I'd like to use an open source type thing for this also. The names I've heard of are PAM (Pluggable Authentication Modules) and LDAP (Lightweight Directory Access Protocol). Are these related to what I'm looking for in any way? If somebody could point me in the right direction, I'd really appreciate it.

If anybody has any suggestions for me or can give me advice if you've set something like this up before, or just point me in the direction of some appropriate documentation, I'd really appreciate it.

Thanks,
Ryan

xpunkrockryanx · Posted: Tue Jan 21, 2003 6:54 pm Post subject:

does nobody have any suggestions for me on what software i should look into to keep these user accounts well managed? thanks in advance for any suggestions.

Praxxus · Posted: Fri Jan 24, 2003 9:23 pm Post subject:

Yes, I think PAM, LDAP, and FreeS/WAN will do what you want.

For PAM + LDAP, you'll need the nss_ldap and pam_ldap packages from www.padl.com/Contents/OpenSourceSoftware.html . Those can be conveniently "emerged" in Gentoo.

For FreeS/WAN, I would think you'd want to look into using x509 certificates for authentication, instead of a "shared secret" authentication method. See www.freeswan.ca/patches/ .

Are you going to let Windows users log into this?
_________________
My glaucoma just got worse!

xpunkrockryanx · Posted: Sat Jan 25, 2003 7:36 am Post subject:

yes, the idea is to let as many people log into it as possible (different versions of windows, macos, etc). am i hasty in assuming i'll be able to find ipsec clients for various oses?

Praxxus · Posted: Mon Jan 27, 2003 11:43 pm Post subject:

See vpn.ebootis.de for Windows 2000/XP clients + instructions, though it might be too complicated for an average "Joe User" to install. People also have a lot of success using using the SSH Sentinel client (free for non-commercial use, I believe). I'm not sure what platforms it supports.
_________________
My glaucoma just got worse!