Here are the magic numbers, which I have no idea of the meaning, that I got (a while ago) from Supermicro (via our vendor, Silicon Mechanics):
#vi /etc/raddb/users
Example:
myuser Auth-Type :=Local, User-Password == “123456”
Vendor-Specific = “H=4, I=4”
testuser Auth-Type :=Local, User-Password == “654321”
Vendor-Specific = “H=3, I=3”
So, obviously H= and I= mean something, and at least 3 and 4 are valid values (and I don't believe the syntax is even allowed by the RFCs, but whatever). I replied asking what those mean, and haven't heard back. I just sent a followup...
edit
Got a reply:
>
Those setting match the user account type in IPMI Web GUI.
CallBack (H=1, I=1) = No Access
Basically, this type of account will be rejected by IPMI. It can be used to temporarily disable an account.
User (H=2, I=2) = User
This type of the account is only allowed to check the system status.
Operator (H=3, I=3) = Operator
This type of the account is allowed to do the remote control & check the system statsus, but can't change the configuration.
Administrator (H=4, I=4) = Administrator
The type of accout is allowed to do everything.
There is no other privilege.
edit 2
Reply to the two different field meanings.
This is the info SuperMicro got from ATEN:
"H" means if for the user privilege. IPMI spec 2.0 defines the following channel privilege levels. We don't use the OEM Proprietary level for special privilege.
Channel Privilege Level Limit:
0h = reserved
1h = CALLBACK level
2h = USER level
3h = OPERATOR level
4h = ADMINISTRATOR level
5h = OEM Proprietary level
"I" is for debug purpose and it is reserved option. Please ignore it.
Below is the definition of the Channel Privilege Levels from IPMI spec 2.0:
Callback
This may be considered the lowest privilege level. Only commands necessary to support initiating a Callback are allowed.
User
Only 'benign' commands are allowed. These are primarily commands that read data structures and retrieve status. Commands that can be used to alter BMC configuration, write data to the BMC or other management controllers, or perform system actions such as resets, power on/off, and watchdog activation are disallowed.
Operator
All BMC commands are allowed, except for configuration commands that can change the behavior of the out-of band interfaces. For example, Operator privilege does not allow the capability to disable individual channels, or change user access privileges.
Administrator
All BMC commands are allowed, including configuration commands. An Adminstrator can even execute
configuration commands that would disable the channel that the Administrator is communicating over.
We use OpenVPN for our "home" and "field" workers. There are clients available for Windows, Linux and Mac OS X (called tunnelblik). We run our access server off a Fedora box, but according to the openvpn website, there are also access servers available as virtual appliances or for VHD. However, this will require either a server connected directly to the Internet, or some port forwarding from your firewall to the access server. From your description above, it sounds like port forwarding is the way to go for you.
We use this with self-signed certificates (i.e. certificates we create ourselves for each user) and it works like a charm. Our access server is configured to run on port 443, which makes it easier for the "field" workers to connect from hotels (which often have strong restrictions on which ports are allowed).
With Windows clients, the OpenVPN client can be configured to start up before the Windows login prompt comes up, which means that at the point of logon, you already have a connection to your LAN, and authentication against AD is simple: The user gets a choice which domain he wants to log on to (local domain or AD domain). Alternatively, if the client is NOT configured to start up automatically, users can still log on with their domain credentials, if the computer is registered, because Windows will cache their credentials for a certain time. However, if no connection is made before the cache expires, your homeworker can get a bit stuck, particularly if he doesn't have credentials for any local accounts on the machine.
Best Answer
Have a look at pfSense. I've set it up to authenticate against an Active Directory server using RADIUS for PPTP VPN connectivity. But if you're looking for IPsec you're dealing with certificates and pre-shared secrets with IPsec, not username/password authentication. But pfSense can do that too. It also supports OpenVPN. So you have a couple of VPN options with it.
You'll just need to size the hardware appropriately for your needs. The Linksys model you reference looks pretty small, so I'm sure that one of these Netgate m1n1wall firewalls will work well for you.