Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change freeradius2 password weekly via script

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 3 Posters 953 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jjeff123
      last edited by

      I'd like to change our radius password for a user weekly, using a script. I really just need to rotate between a dozen or so passwords.

      Any suggestions?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        curious on why?  Is the user sharing this password?  seems like a lot of logistics - are you just looking to confuse the users on what password they should use?

        What exactly does this get you other than user complaints that they can't log in and have to tell them what weeks password to use.  Is this a shared account for like guest access and you want to limit how long they have access for?  Maybe captive portal would be easier with vouchers?

        What sort of cat are you trying to skin and we can go over the best ways to do it ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jjeff123
          last edited by

          It's a feeble attempt to prevent the account from being overused.

          Basically, the account is used for guest access, but the password leaks out (very quickly). Currently we manually change the password once per week, and the support staff are getting tired of doing that.

          This is used in a k-12 school, and while we already have bandwidth limits per user, the problem is that if 1000 students all have smartphones, eventually they'll all be logged in to the wireless all the time and the sum total of having all the background  facebook updates and app downloads and everything else uses quite a bit of bandwidth. At the same time, if they want to actually use the guest network, we don't want the bandwidth limit to be so low as to be useless.

          So the idea is we change the password weekly, I can't do much about teachers giving the password out, but I can at least try to prevent them from saturating the guest firewall over the long haul.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            hmmm ok now that we know what breed of cat we have to skin ;)

            What about a captive portal that has a limited time for them to be active.  So while they need a password that you could still change now and then, it would also kick off user after say 1 hour or whatever time you think is appropriate and they would have to once again auth to the portal.

            This should lower the amount of background stuff going on.  So while the kids are checking their facebook pages actively they are fine.. But when they put the phone in their pocket after x amount of time it would be disconnected and internet wouldn't work until they again click through the portal.

            You could also setup voucher system and create vouchers to they can give out to kids that are good for say 1 hour of usage.  There is no way to hand out this password since its all vouchers.  Once your time expires on that voucher you need a new one ;)

            Just a couple of ideas off the top of my head vs having to script any sort of change of password that actually gives you more control.

            You could also prob get fancy with radius account and limiting amount of bandwidth - but that could get crazy with 1000's of students.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              Hi,

              would also try it with Captive Portal and disallow simulatenous connections. So when someone give the password to someone else then they are kicking thmself off the network because only the least active connection will have access. So on the first days they will share their credentials but if there are 10 people sharing the same credentials they will not have any fun with that.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.