[SGVLUG] NFD over Internet

Alex Roston tungtung at pacbell.net
Sun Dec 4 13:18:04 PST 2005 

Tom Emerson wrote:

>On Sunday 04 December 2005 1:28 am, Alex Roston wrote:
>  
>
>>I have a program for my kiosk system which accepts cards. There's a card
>>number associated with a number of minutes.[...] I have a customer who has
>>deployed around 50 kiosks in Canada, and they want to extend this system
>>[...]
>>Lastly, if this isn't practical, what's the best (and hopefully easiet)
>>way to implement an authentication system over the net?
>>    
>>
>
>A different solution would be a "AAA-radius" server -- what you're describing 
>is almost identical to what I did for a local coffee house for the wireless 
>internet access.  Admittedly, the access point I was using was already geared 
>for this, so it was pretty trivial, but in learning how to use the radius 
>server, I came to understand the third "A" in the list -- accounting.
>  
>
Accounting is definitely a problem. At the moment each computer is 
sending an accounting e-mail to the company, and that makes it very 
difficult to integrate the data. The problem will only get worse as each 
new computer is added to the network. How does the radius accounting 
system work? Can it provide details for each computer? Can the computers 
be grouped into classes, such as a "Motel 6" class or a "Best Western" 
class?

>Like you, I was selling cards printed with random user/password combinations.  
>These users were pre-set in a mysql database with one or two hours associated 
>with them, and savvy end users could "log out" once they downloaded their 
>e-mail, compose responses, then "log in" to transmit them.  In this way, a 
>"one hour" card could last someone a week if they were careful to limit each 
>"session" to 5 minutes or so.
>  
>
That's not a problem here. They can't use the computer at all without 
being charged for time.

>The radius server already uses a "secure" channel -- you have to pre-set a 
>"shared secret" between the client and server, and I think you had to have 
>fixed IP addresses for the clients  (but that may have been because I had the 
>luxury of a fixed address -- it might just be a configuration tweak to allow 
>dynamic client addresses)  Once the server authenticates the user, it can 
>send back information that your application can use to limit access.  It also 
>sends how much "time" you have available (so your client can enforce a 
>timeout)  When you "sign out", the client sends a closing record that the 
>server can use to determine how much time you've used and adjust accordingly.
>  
>
How hard would it be to write a radius client?

Thanks,

Alex

More information about the SGVLUG mailing list