[CS-FSLUG] Radius Server

David Aikema david at aikema.net
Tue Jun 27 11:23:43 CDT 2006

On 6/27/06, Stephen J. McCracken <smccrack at hcjb.org.ec> wrote:
> Timothy Butler wrote:
> >       My church has been doing an expansion project, and I'm planning
> > laying out wireless access points over the whole building to blanket
> > it with Wi-Fi. This is good in that we could use access in different
> > rooms much of the time, but bad in that we don't want people to
> > freely come in with unfettered web access (surfing x-rated material
> > in a church just isn't something we want to encourage, ya know?).

> 4. Setup Squid (Proxy) and DansGuardian (Web Filter) on your Linux server.

Rather than taking the auto-detectable proxy approach, you could also
take the transparent proxy approach instead.

> >       Also, if this could be linked to some kind of total authentication
> > method that would cover Ethernet too, I'm game. It'd be nice if we
> > could make it necessary to have a user ID to use the wired Ethernet
> > jacks around the building too. I'm not familiar with the options in
> > that direction, though...

Something like this would probably work if you were to buy a managaed
switch.  Then you could (at least in the managed switches that I've
seen) enable and disable ports one at a time.  These are generally
more expensive than the unmanaged consumer switches, but from a quick
look at eBay you may be able to find some that won't break the bank.

Authentication systems like NoCatAuth (http://nocat.net/) are more
targetted at the wireless environment, but they might work with wired
networks as well (perhaps with a little bit of customization).

> 2. Use a DHCP server on the Linux server rather than the wireless points
> (setup the wireless in bridge mode).  Deny unknown clients (they'll get
> a 169.x.x.x address which won't go anywhere).  You'll need a bridge to
> connect the wireless to the wired network and make one network out of
> the two (see: http://www.wi-fiplanet.com/tutorials/article.php/1563991
> and http://tinyurl.com/hxdyz for ideas.)

> a. Rather than denying clients in DHCP, give them another subnet that
> has a DNS that resolves every address to your linux server.  Have Apache
> on your server show a default page with instructions on the steps
> involved to get authorized to use the network (e.g. Fill out
> application, Sign usage agreement, Have person "x" setup computer, etc.).

Perhaps beyond just a signup sheet, you could also give everyone who
wanders by access to your church's website.


More information about the Christiansource mailing list