Re: Allowing POP3 (email only) access
22-Jan-03 at 16:28, Lisa Casey ([EMAIL PROTECTED]) wrote : > Hi, > > We acquired an ISP who is using Freeradius. There are several accounts on > this system which are meant to be email only accounts (i.e. customers dial > in and are authenticated using their dial-up username/password, then once > they get connected they can check e-mail on that account or on a e-mail only > account). An e-mail only account should not, of course, be able to log in > via radius. Unless it's an email only account which allows dialin but only for the purposes of checking mail. We have a setup like that (users can dial in, but from there the only IP/Port they can hit is ourmailserver:25 and ourmailserver:110 -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing POP3 (email only) access
How about setting Session-Timeout of the email only account to 1 ? This was I did (but not with FR). /sm On Thu, 2003-01-23 at 00:28, Lisa Casey wrote: > Hi, > > We acquired an ISP who is using Freeradius. There are several accounts on > this system which are meant to be email only accounts (i.e. customers dial > in and are authenticated using their dial-up username/password, then once > they get connected they can check e-mail on that account or on a e-mail only > account). An e-mail only account should not, of course, be able to log in > via radius. > > However this isn't how it has been working. Take the case of username > sbmills who has a email only account of stan. Both sbmills and stan can dial > in and get authenticated via radius. So in the users file I created as my > first default entry: > > # > DEFAULT Group == "mailusers", Auth-Type := Reject > Reply-Message = "You are using a mailonly account." > # > > In /etc/group, I have a group mailonly, with GID of 105. Next I edited the > password filed (using vipw) and changed stan's group to 105. From the > testing I have done though, it still appears that this user can dial in > using the username stan and stan's password. Is there something I have > neglected to do? > > Thanks, > > Lisa Casey > Webmaster & SysAdmin > Netlink 2000, Inc. > [EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing POP3 (email only) access
That's what we've done and it works. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] Network Engineer II Onvoy Inc. 300 North Highway 169 Minneapolis, MN 55441 _ -Original Message- From: craig witter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 4:13 PM To: [EMAIL PROTECTED] Subject: Re: Allowing POP3 (email only) access You could change the shell to the no logon shell. That'll solve the problem the easiest way I know of. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing POP3 (email only) access
You could change the shell to the no logon shell. That'll solve the problem the easiest way I know of. -- Original Message --- From: "Lisa Casey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wed, 22 Jan 2003 16:28:46 -0500 Subject: Allowing POP3 (email only) access > Hi, > > We acquired an ISP who is using Freeradius. There are several > accounts on this system which are meant to be email only accounts > (i.e. customers dial in and are authenticated using their dial-up > username/password, then once they get connected they can check e- > mail on that account or on a e-mail only account). An e-mail only > account should not, of course, be able to log in via radius. > > However this isn't how it has been working. Take the case of username > sbmills who has a email only account of stan. Both sbmills and stan > can dial in and get authenticated via radius. So in the users file I > created as my first default entry: > > # > DEFAULT Group == "mailusers", Auth-Type := Reject > Reply-Message = "You are using a mailonly account." > # > > In /etc/group, I have a group mailonly, with GID of 105. Next I > edited the password filed (using vipw) and changed stan's group to > 105. From the testing I have done though, it still appears that this > user can dial in using the username stan and stan's password. Is > there something I have neglected to do? > > Thanks, > > Lisa Casey > Webmaster & SysAdmin > Netlink 2000, Inc. > [EMAIL PROTECTED] > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing POP3 (email only) access
"Lisa Casey" <[EMAIL PROTECTED]> wrote: > However this isn't how it has been working. Take the case of username > sbmills who has a email only account of stan. Both sbmills and stan can dial > in and get authenticated via radius. So in the users file I created as my > first default entry: > > # > DEFAULT Group == "mailusers", Auth-Type := Reject > Reply-Message = "You are using a mailonly account." > # > > In /etc/group, I have a group mailonly, with GID of 105. Next I edited the > password filed (using vipw) and changed stan's group to 105. From the > testing I have done though, it still appears that this user can dial in > using the username stan and stan's password. Is there something I have > neglected to do? Run the server in debuggin mode, and see IF it matches that line in the 'users' file. Odds are that there is another configuration above it, which says to authenticate the user, and that DEFAULT isn't reached. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allowing POP3 (email only) access
Hi, We acquired an ISP who is using Freeradius. There are several accounts on this system which are meant to be email only accounts (i.e. customers dial in and are authenticated using their dial-up username/password, then once they get connected they can check e-mail on that account or on a e-mail only account). An e-mail only account should not, of course, be able to log in via radius. However this isn't how it has been working. Take the case of username sbmills who has a email only account of stan. Both sbmills and stan can dial in and get authenticated via radius. So in the users file I created as my first default entry: # DEFAULT Group == "mailusers", Auth-Type := Reject Reply-Message = "You are using a mailonly account." # In /etc/group, I have a group mailonly, with GID of 105. Next I edited the password filed (using vipw) and changed stan's group to 105. From the testing I have done though, it still appears that this user can dial in using the username stan and stan's password. Is there something I have neglected to do? Thanks, Lisa Casey Webmaster & SysAdmin Netlink 2000, Inc. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html