Re: Prevent uid sharing or hot to allow use uid only once
Hi, Should I enable accouning for that? thats one way of tackling the issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prevent uid sharing or hot to allow use uid only once
Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
Sergio Belkin wrote: Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). I don't understand the problem or what you're trying to solve. So what if Joe mistakenly tries to used John's username, it won't work as he won't know Joe's password. This is no different than an attempted network break in which should be prevented by locking your resources down and ensuring strong passwords. Never in any instance will resources authorized for one user be granted to another user unless you've configured something wrong. If the problem is that both John and Joe want the same username then one needs to explain to Joe that username is already in use and he'll have to use another one. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 John Dennis jden...@redhat.com: Sergio Belkin wrote: Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). I don't understand the problem or what you're trying to solve. So what if Joe mistakenly tries to used John's username, it won't work as he won't know Joe's password. This is no different than an attempted network break in which should be prevented by locking your resources down and ensuring strong passwords. Never in any instance will resources authorized for one user be granted to another user unless you've configured something wrong. If the problem is that both John and Joe want the same username then one needs to explain to Joe that username is already in use and he'll have to use another one. -- John Dennis jden...@redhat.com What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
Sergio Belkin wrote: 2009/6/5 John Dennis jden...@redhat.com: Sergio Belkin wrote: Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). I don't understand the problem or what you're trying to solve. So what if Joe mistakenly tries to used John's username, it won't work as he won't know Joe's password. This is no different than an attempted network break in which should be prevented by locking your resources down and ensuring strong passwords. Never in any instance will resources authorized for one user be granted to another user unless you've configured something wrong. If the problem is that both John and Joe want the same username then one needs to explain to Joe that username is already in use and he'll have to use another one. -- John Dennis jden...@redhat.com What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... Read the FAQ (http://wiki.freeradius.org/FAQ) and search for simultaneous -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
Sergio Belkin wrote: What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... BTW, if I were administering the network and discovered anybody had divulged their login information to anyone else, never mind 100 other users I would consider that grounds for permanent revocation of all privileges. In many organizations such a security lapse would lead to immediate termination of employment. Think about it, if someone did what you've proposed what purpose is authentication serving? You might as well set up open anonymous access. There are other ways of handling a collection of guests, set up a short duration guest account and publish that information, after the event disable the account. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
Hi, What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... simultaneous-use - only allow one instance of the user/pass to be online at a time. sure, another person might be on instead of John...but then John wont be able to get online...He'd very quickly be miffed that he'd lost his access due to someone else using his credentials alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... simultaneous-use - only allow one instance of the user/pass to be online at a time. Should I enable accouning for that? sure, another person might be on instead of John...but then John wont be able to get online...He'd very quickly be miffed that he'd lost his access due to someone else using his credentials alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html