Re: Distributing Certificates
On 01/20/2012 02:36 PM, Alan Buxey wrote: CA distribution was always the issue for private CA - but most sites now go for using a deployment tool of some kind to get clients set up - and all of them can deal with installing a CA, so thats a problem gone. the system is closed-loop, visitors never need to trust your RADIUS server cert...only your own folk do - so why use public in this space? Couple of things to note: Firstly, *if* you are using a public CA you should try very, very hard to ensure your clients are checking the cert CN. This somewhat alleviates the "anyone can buy a cert" risk. Secondly, there's not much point in going for a "super cheap" public CA. You only need one cert, and don't need very esoteric options like EV or multiple subjectAltNames. This keeps the cost reasonably sane, and therefore you might as well shell out for a Verisign (or similar) one. Doing that gives you a slightly better chance the CA will not hand out random crap to attackers, and *much* better probability the CA will be present on clients already. You mention "most sites use a deployment tool". I'd be interested to see numbers on that, but it's probably OT for the list. As I've said previously - people thinking of using a public CA should be very sure they understand and accept the risks. I agree the safe default is to use a private CA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
Hi, > If you're using a private CA for signing the radius server certs, which > is generally cited as best practice because it provides belt & braces; > in the event a client does not learn & subsequently re-check the cert > CN, a public CA would allow an attacker to impersonate your SSID. A > private CA does not. > > Some people (us included) choose to use a public CA and accept the risk, > in return for significantly easier deployment. private CA pros -under full control of organisation -the organisation only can sign servers -for 802.1X your clients only need to trust your server - closed loop. so why use public? cons -CA management - skillset, can someone do the same in X years? -distribution of the CA to the client Public CA pros -most clients have the CA already present -no need to learn about CA/PKI to such low level cons -under whims of the CA and their issues (recall the dutch CAs now revoked and now invalid) -under whims of the remote CA policy (changing from being a root to intermediate) -anyone can buy a certificate from a CA -distribution - some CAs arent on clients..so you need to distribute it anyway personal opinion CA distribution was always the issue for private CA - but most sites now go for using a deployment tool of some kind to get clients set up - and all of them can deal with installing a CA, so thats a problem gone. the system is closed-loop, visitors never need to trust your RADIUS server cert...only your own folk do - so why use public in this space? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
On 01/20/2012 08:16 AM, Mark Holmes wrote: Your problem is going to be>distributing the server cert to the>clients NOT distributing client Maybe I've missed something here, but why will he need to distribute a cert to clients? If you're using a private CA for signing the radius server certs, which is generally cited as best practice because it provides belt & braces; in the event a client does not learn & subsequently re-check the cert CN, a public CA would allow an attacker to impersonate your SSID. A private CA does not. Some people (us included) choose to use a public CA and accept the risk, in return for significantly easier deployment. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
>Your problem is going to be >distributing the server cert to the >clients NOT >distributing client Maybe I've missed something here, but why will he need to distribute a cert to clients? If the certificate you use on your RADIUS server is signed by a known CA-in which case the client should already have the relevant root certificate and so will trust the certificate presented by the server. This is assuming he is using certificates for confirming identity of the server, not for EAP-TLS etc. Cheers, Mark On 6 Jan 2012, at 21:43, "Sallee, Stephen (Jake)" wrote: > It may be a misunderstanding on my part but I believe any encrypted protocol > would need a cert of some sort. PEAP is an encrypted tunnel thus you will > need a cert. FR will generate its own certs for testing but for production > you should generate your own. We are making the move to 802.1x in the next > few months and will be using a self-signed cert on the FR server and > deploying it to the users' machines via a third party tool from a company > called cloud path. > > Suffice it to say that windows Vista and beyond MUST have the server cert > installed or be configured to ignore server certs before you can use any > encrypted protocol (such as, PEAP). It WILL NOT work out-of-the-box! XP > would show you a dialogue box with a warning but that functionality is gone > in Vista and 7. > > MAC OS and Linux will still allow you to download the cert and install it on > first use, windows will not. > > Your problem is going to be distributing the server cert to the clients NOT > distributing client certs (unless you are using EAP/TLS or the like), as > mentioned before AD makes this easy via GPO / login scripts. However if you > clients are not part of your domain then you have very few choices. > > 1) Roll your own program to install the cert for them > 2) Buy a solution to install the cert (like cloud path) > 3) issue instructions to the clients and have them install the certs manually > 4) go around and install all the certs your self > > There a pros and cons for each. BTW for security reasons you should use a > self-signed cert, that being the case you can make the cert valid for 99 > years, then revoke it when you have time to redistribute them ; ) > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > 900 College St. > Belton, Texas > 76513 > Fone: 254-295-4658 > Phax: 254-295-4221 > > > -Original Message- > From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org > [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] > On Behalf Of McSparin, Joe > Sent: Friday, January 06, 2012 3:07 PM > To: FreeRadius users mailing list > Subject: RE: Distributing Certificates > > I don't have any particular desire to use certificates thus far in testing > mode have been using PEAP and just ignoring the warning that tells me there > is a certificate on the server that doesn't match. I assumed in deployment I > would have to install certificates so the users wouldn't be confused when > they saw that message. I thought that FreeRadius had to have certificates > set up even if they were just example ones. Radiusd -X runs bootstrap which > creates example certificates automatically. This led me to believe that > certificates were somehow integral to 802.1x. Is that not the case? If so > how can you take certificates completely out of the equation? > > > Joseph R. McSparin > Network Administrator > Hill Country Memorial Hospital > 830 990 6638 phone > 830 990 6623 fax > jmcspa...@hillcountrymemorial.org > > -Original Message- > From: > freeradius-users-bounces+jmcsparin=hillcountrymemorial....@lists.freeradius.org > > [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] > On Behalf Of David Mitton > Sent: Friday, January 06, 2012 12:44 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Distributing Certificates > > You can do such things as suggested... but you haven't articulated what your > goal is and what you will be using the certificates for? > 802.1X doesn't "require" certificates... but you may want to use them > depending on what you are trying to do. > > Dave. > > > Quoting "Danner, Mearl" : > >> If you are using AD and have a CA set up you can create >> autoenrollment gpo's for domain attached machines. You can issue >> either user or computer certs. Can also configure the Windows >> wireless supplicant via gpo. >> >> Mearl >> >> From: >> freeradius-users-bou
RE: Distributing Certificates
It may be a misunderstanding on my part but I believe any encrypted protocol would need a cert of some sort. PEAP is an encrypted tunnel thus you will need a cert. FR will generate its own certs for testing but for production you should generate your own. We are making the move to 802.1x in the next few months and will be using a self-signed cert on the FR server and deploying it to the users' machines via a third party tool from a company called cloud path. Suffice it to say that windows Vista and beyond MUST have the server cert installed or be configured to ignore server certs before you can use any encrypted protocol (such as, PEAP). It WILL NOT work out-of-the-box! XP would show you a dialogue box with a warning but that functionality is gone in Vista and 7. MAC OS and Linux will still allow you to download the cert and install it on first use, windows will not. Your problem is going to be distributing the server cert to the clients NOT distributing client certs (unless you are using EAP/TLS or the like), as mentioned before AD makes this easy via GPO / login scripts. However if you clients are not part of your domain then you have very few choices. 1) Roll your own program to install the cert for them 2) Buy a solution to install the cert (like cloud path) 3) issue instructions to the clients and have them install the certs manually 4) go around and install all the certs your self There a pros and cons for each. BTW for security reasons you should use a self-signed cert, that being the case you can make the cert valid for 99 years, then revoke it when you have time to redistribute them ; ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 3:07 PM To: FreeRadius users mailing list Subject: RE: Distributing Certificates I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't "require" certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting "Danner, Mearl" : > If you are using AD and have a CA set up you can create > autoenrollment gpo's for domain attached machines. You can issue > either user or computer certs. Can also configure the Windows > wireless supplicant via gpo. > > Mearl > > From: > freeradius-users-bounces+jmdanner=samford@lists.freeradius.org > [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] > On Behalf Of McSparin, Joe > Sent: Friday, January 06, 2012 10:18 AM > To: FreeRadius users mailing list > Subject: Distributing Certificates > > Now that I have my Radius server configured I need to begin > implementation I have 600 computers that will be using it. The > question I am wondering is do I have to go around and install a > certificate on every one of the computers and then maintain that > every year changing out the certificate on 600 computers or is there > some way that the server passes out certificates when the machine > logs on. Or do I have an incorrect understanding of how to > implement 802.1x security. > Joseph R. McSparin > Network Administrator > Hill Country Memorial Hospital > 830 990 6638 phone > 830 990 6623 fax > jmcspa...@hillcountrymemorial.org > > ___
Re: Distributing Certificates
Hi, > I don't have any particular desire to use certificates thus far in testing > mode have been using PEAP and just ignoring the warning that tells me there > is a certificate on the server that doesn't match. I assumed in deployment I > would have to install certificates so the users wouldn't be confused when > they saw that message. I thought that FreeRadius had to have certificates > set up even if they were just example ones. Radiusd -X runs bootstrap which > creates example certificates automatically. This led me to believe that > certificates were somehow integral to 802.1x. Is that not the case? If so > how can you take certificates completely out of the equation? 2 ways of using certs. 1) using them for authentication (eg EAP-TLS) 2) using them to validate that the RADIUS server is the one you really want to be talking to i guess you want the later - in this case, you need to either have a RADIUS server signed by a CA that is present already in the OS (eg signed by one of the well known names) or you need to put the CA onto your client. either way, the client really should be configured (in its 802.1X settings) to validate the RADIUS server 'name' (via the Common name in the RADIUS server cert) and the CA. there can be a whole advocacy thread about whether to go for self-signed cert and local CA or to go with known CAs - theres pros and cons in both wayswith your OWN CA you can decide the length of time the CA and cert are valid for...you control the CA and noone can pay to get a server signed by your CA - unless you've got major internal corruption issues ;-) - but you've got to get it deployed. if you choose a known CA... well, anyone can get a cert signed by a known CA if they pay the moneyso you REALLY need to check the CN of the RADIUS server... you are also a slave to the CA and its reputation.. until recently that wasnt too bad but with the couple of Dutch CAs that have been removed from OSes..that could have been quite awkward if they'd signed your server cert... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
I mean, if you refer to the "validate server certificate" option, you will need to have a CA installed on the RADIUS side (probably your domain CA), then generate a server certificate signed with the CA for RADIUS, but you only need to install the CA on the machines, not client certs. That can be easily done using a GPO like others said. Unless you want to do EAP-TLS, but that's another story. On 12-01-06 4:07 PM, McSparin, Joe wrote: I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't "require" certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting "Danner, Mearl": If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't "require" certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting "Danner, Mearl" : > If you are using AD and have a CA set up you can create > autoenrollment gpo's for domain attached machines. You can issue > either user or computer certs. Can also configure the Windows > wireless supplicant via gpo. > > Mearl > > From: > freeradius-users-bounces+jmdanner=samford@lists.freeradius.org > [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] > On Behalf Of McSparin, Joe > Sent: Friday, January 06, 2012 10:18 AM > To: FreeRadius users mailing list > Subject: Distributing Certificates > > Now that I have my Radius server configured I need to begin > implementation I have 600 computers that will be using it. The > question I am wondering is do I have to go around and install a > certificate on every one of the computers and then maintain that > every year changing out the certificate on 600 computers or is there > some way that the server passes out certificates when the machine > logs on. Or do I have an incorrect understanding of how to > implement 802.1x security. > Joseph R. McSparin > Network Administrator > Hill Country Memorial Hospital > 830 990 6638 phone > 830 990 6623 fax > jmcspa...@hillcountrymemorial.org > > > This email message and any attachments are for the sole use of the > intended recipient(s) and contain confidential and/or privileged > information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, > please contact the sender by reply email and destroy all copies of > the original message and any attachments. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
If you PCs are all Windows, and they are all member of an AD domain (or subdomains), use PEAP with machine auth (or machine+user auth). It is much less painful than deploy 600 client certificates. PEAP also works with Mac OSZ and Linux box using user authentication. On 12-01-06 1:44 PM, David Mitton wrote: You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't "require" certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting "Danner, Mearl" : If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't "require" certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting "Danner, Mearl" : If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Distributing Certificates
Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
