Q: Suggestions for home AAA server set-up?

Hi,

Been searching the forum about this topic but did not find any recent postings, so here it goes.

I have a use-case for authenticating wifi users in my home network using radius. The objective is two-folded:
  • Centralized authentication
  • Ability to use different VLANs depending on user group , e g guests/regular/IoT
As a future addition, I would like to have a centralized authentication for all home server logon. It is a pain to update user passwords in multiple servers in my home network, which means it doesn't happen that often...

I am currently basing most on my home network around a FreeNAS-11.1 running a combo of jails with micro-services and VMs. I would prefer to keep as much of my services on FreeBSD as possible as this is the area that I am currently trying to expand my knowledge.

I am looking for suggestions for what packages that I could combine in order to get a web-based AAA solution, and possibly hints to "how-to"s.
 
As a future addition, I would like to have a centralized authentication for all home server logon.
Thats usually why you use radius in the first place ;)

You might also have a look at yp(8) (usually called NIS) and/or kerberos(8). They all cover slightly different subsets and variations of "centralized user management" and have varying approaches, so you might pick one over another for your use case(s). OTOH they all play very well together and can hook into another, so you can tailor a system that exactly fits your needs.
 
LDAP is pretty much the de facto standard when it comes to centralized user management on UNIX(-like) systems. Radius and/or TACACS can both be linked to LDAP. As do many web applications.

NIS shouldn't be used any more, it's a relic from the past. Kerberos only deals with authentication, not user management.
 
NIS shouldn't be used any more, it's a relic from the past.
For a small homelab IMHO it is still the fastest and easiest way to get centralized user management. It nicely integrates with e.g. passwd on all major BSD, Illumos/Solaris and Linux variants/distros and the client part is still available out of the box on almost all of them.
Sure, LDAP is much more modern and flexible, but this also often makes it quite a beast to set up and maintain.
 
It nicely integrates with e.g. passwd on all major BSD, Illumos/Solaris and Linux variants/distros and the client part is still available out of the box on almost all of them.
Sure, but so is telnet(1). And we all know not to use that any more. One of the reasons why NIS is bad is that regular users can get a list of passwords. Sure they're encrypted but the list allows anyone to easily brute-force the passwords off-line. There's no encryption between the NIS client and server and there's little to no security.
 
Back
Top