A question - User Auth etc

Richard J Palmer richard at merula.net
Wed Jun 24 15:27:29 CEST 2020


I have 'possibly' a slightly odd request - I am sure this can be 
solved with FreeRadius but I'd really appreciate some pointers.

We are using FreeRadius to authenticate broadband connections reaching 
us via L2TP over a number of providers. So far it works really well 
and I've had a few questions and help from here in the past which I 
really appriciate

Obviously we get some connections reach us with invalid username's or 
wrong passwords.

The problem (and which we don't have any control over) is that in the 
case of a wrong username - the customers router etc can simply try 
constantly to log on. Obviously it never connects (as the current 
design) but this obviously causes extra records in postauth and so on.

What I'd like to do is

1) user logs on and works (as now)
2) user with wrong login (wrong password / unknown username) - we 
allow this to log on - send a specific reply back that pushes them 
into a VRF which has a walled garden. it should also make the user ad 
being in an IP Pool so it gets an IP from there)

3) BUT ideally logs this connection as 'failed' OR adds a flag so we 
can see easily that the login was accepted by the above rule - so it's 
not a 'working' session

The change to radreply - I know and have something we already use for 
a disabled or suspended user,

I am however after some guidance on how I can allow the user to get an 
'accept' packet back with the extra reply attribute - and the logging 
information. There's some extra complexity which is this should only 
be the case where I am authenticating on a username with a '@' 
(realm). Any login being authenticated via Calling Station ID or with 
no realm (just a username) should perform as now.

I have a few ideas but would really appreciate some pointers as the 
best way to implement this one

Thanks in advance


More information about the Freeradius-Users mailing list