A question - User Auth etc

Peter Lambrechtsen peter at crypt.nz
Wed Jun 24 20:26:42 CEST 2020

I had a similar problem at my old role.

What I talked about doing would be to create a dummy virtual network on the
BNG that didn’t route anywhere.

Then have a single host even a Raspberry Pi would do with DNS and a web
On the dns have the Microsoft / Apple / google redirect dns domains all
pointing to your Pi for a web server

Then on the web server have a singe page saying the config on your router
is wrong and you need to fix it.

I provided it worked fine and expected in the lab but we never deployed it
into production as no one wanted to fund buying a server for it and we
weren’t allowed to use unsupported hardware such as a Pi in the core.

But that is how you solve it.

On Thu, 25 Jun 2020 at 01:37, Alan DeKok <aland at deployingradius.com> wrote:

> On Jun 24, 2020, at 9:27 AM, Richard J Palmer <richard at merula.net> wrote:
> > I have 'possibly' a slightly odd request - I am sure this can be solved
> with FreeRadius but I'd really appreciate some pointers.
>   FreeRADIUS can do almost anything.  v4 will be able to do more. :)
> > We are using FreeRadius to authenticate broadband connections reaching
> us via L2TP over a number of providers. So far it works really well and
> I've had a few questions and help from here in the past which I really
> appriciate
>   Good to hear.
> > Obviously we get some connections reach us with invalid username's or
> wrong passwords.
> >
> > The problem (and which we don't have any control over) is that in the
> case of a wrong username - the customers router etc can simply try
> constantly to log on. Obviously it never connects (as the current design)
> but this obviously causes extra records in postauth and so on.
> >
> > What I'd like to do is
> >
> > 1) user logs on and works (as now)
> > 2) user with wrong login (wrong password / unknown username) - we allow
> this to log on - send a specific reply back that pushes them into a VRF
> which has a walled garden. it should also make the user ad being in an IP
> Pool so it gets an IP from there)
>   Sure.  That's relatively common.  Let them on, but push them to a
> blocked VLAN, etc.
> > 3) BUT ideally logs this connection as 'failed' OR adds a flag so we can
> see easily that the login was accepted by the above rule - so it's not a
> 'working' session
>   You can use the "linelog" module to selectively log bad
> authentications.  i.e.
>         if (!known user) {
>                 linelog_bad_user
>         }
>   Where you can create a "linelog" module:"
> linelog linelog_bad_user {
>         ... stuff to log ...
> }
>   And that logs what you want, where you want.
>   How to check for an unknown user is up to you.  It depends on a number
> of things.  And no, you can't just do "if (!known_user)".  That's just an
> example.
> > The change to radreply - I know and have something we already use for a
> disabled or suspended user,
>   i.e. add a custom reply attribute which says "bad user".  This doesn't
> have to be an attribute which is sent to the NAS.  It can just be in
> raddb/dictionary
> > I am however after some guidance on how I can allow the user to get an
> 'accept' packet back with the extra reply attribute - and the logging
> information. There's some extra complexity which is this should only be the
> case where I am authenticating on a username with a '@' (realm). Any login
> being authenticated via Calling Station ID or with no realm (just a
> username) should perform as now.
>   You can write whatever complex rules you want in "unlang".  :)
>         if (User-Name =~ /@/) {
>                 ... check database for known users...
>                 if (!known_user) {
>                         linelog_bad_user
>                         put them in a VRF / VLAN / whatever
>                         accept
>                 }
>         }
>         }
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list