How to Reject User During Authentication

Selahattin Cilek selahattin_cilek at hotmail.com
Fri Aug 11 14:10:03 CEST 2017 


On 11.08.2017 14:28, Alan DeKok wrote:
> On Aug 11, 2017, at 1:02 PM, Selahattin Cilek <selahattin_cilek at hotmail.com> wrote:
>> All has been going well for about 6 months. But the dorm director has run into a problem today. There are only a handful of students staying in the dorm. All others are on vacation. Using the .NET application, the director has found out that some students log in to the network using the credentials of some other students that are away. Apparently, they share passwords with fellow students. But the director cannot let that happen. It is against the law to use some other person's credentials to gain access to services, and it does not matter if there is consent. It is very much like lending your passport to a friend. So he asked me to come up with a way to prevent that from happening again.
>>
>> Since we can't just delete the missing students from the database,  I decided to append another field to an existing database table that I use to keep track of network usage (table: usage, column: locked). I also made changes to the .NET application to make it possible for the director to "lock" those users that are away. When a user's "locked" field is set to 1, the "datacounter_auth.sh" script detects this and does not authorise him.
>>
>> So what is the problem? The problem is that "datacounter_auth.sh" is executed *after* the user is authenticated.\
>    Because you configured it to do that.  The server can run scripts before authentication.  See raddb/modules/exec as an example.
>
>> What I would like to do is to prevent a locked user from ever passing the authentication phase, because the system logs that as a valid login. We can't let that happen either because the law stipulates that we keep an accurate log of user logins.
>>
>> So my question is: How can I make authentication fail using an SQL statement *even if* the user provides valid credentials?
>    Check for the locked user in the "authorize" section.  That happens before authentication.

I didn't know that.

Doing this did the trick:

     if ("%{sql: SELECT locked FROM `usage` WHERE user_name = 
'%{User-Name}'}" == "1" ) {
         reject
     }

Now there are no "Login OK"s in the log.

Thank you very much.

But I'd still like to know how to make the script run *before* 
authentication. I haven't found anything of much help in the exec module.

>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

More information about the Freeradius-Users mailing list