Suggestion for base system user managment.
I was wondering if anyone has considered putting the freeradius package into the base system.
- It would allow ALL user management to be done from one page, rather than have separate pages for each subsystem.
- PPTP, OPENVPN, PPPOE, L2TP, WIRELESS 802.11, and (possibly) openssh and IPSEC could be managed. (it might be best to keep openssh and console access off radius system)
- There is a radius php module that could be used to check if an admin had access rights to a page.
- accounting and usage data could be logged (including page access by admins)
- would be easy to add an external auth source (LDAP/Active directory/MYSQL)
- would allow per user bandwidth shaping in base config
- you could still proxy requests to a different radius server, and/or supply a external radius server.
- memory usage and disk writes/persistence on embedded platform.
- a lot of work to implement php/radius web page access restrictions (need not be implemented)
- if the radius subsystem breaks, everything stops
- you still would need a web config user (admin?) to be able to auth without radius (see above line)
- you need to run another service (freeradius) on the firewall. (a lot off people will be against this)
I'm just thinking out aloud here, most of these options can still be implemented with freeradius as a package, or even with an external radius server.
You might take a look at how things have changed in the 2.0 code base. There have been a lot of changes to user management and such.
Many of your suggestions are already in pfSense 2.0 and the framework is there for many more of them.
Even with the new users and groups features of 2.0, for some of the other features I am working on, I will need to have a second users/groups page for radius, which I was trying to avoid.