Is it possible to log the Dial-In user password?
Hi, I need to log the Dial-In users Password and I wonder if it is possible to do that in a freeRADIUS server? I'm using freeRadius and MySQL server to store information such as userinfo and traffic logs. If it is possible can someone please describe how? Regards Henrik Henrik Karlsson Projektledare Direkt: +46 (0)8-601 66 57 Mobil: +46 (0)76-104 65 87 Fax: +46 (0)19-10 19 45 Generic Mobile Systems Sweden AB Drottninggatan 10 702 10 ÖREBRO henrik.karlsson@generic.se<mailto:henrik.karlsson@generic.se> www.genericmobile.se<http://www.genericmobile.se/> Kommunikation via SMS, fax, e-post, Minicall, webb - välj det som passar ditt företag bäst [cid:image001.jpg@01CD1D6C.4E0275F0]
On Wed, Apr 18, 2012 at 7:05 PM, Henrik Karlsson <Henrik.Karlsson@generic.se> wrote:
Hi,
I need to log the Dial-In users Password and I wonder if it is possible to do that in a freeRADIUS server?
yes, if the user uses pap.
I’m using freeRadius and MySQL server to store information such as userinfo and traffic logs.
If it is possible can someone please describe how?
there's User-Password attribute, with which you can do anything you want (i.e. insert to db using unlang) there's auth_badpass and auth_goodpass in radiusd.conf if you just want to log it in radius.log. Again, it's only possible if the user uses pap. It should be possible to configure FR to only use pap (i.e. disable chap and friends). Most clients can use pap as fallback, so they should be able to still login. -- Fajar
On Wed, Apr 18, 2012 at 07:19:42PM +0700, Fajar A. Nugraha wrote:
On Wed, Apr 18, 2012 at 7:05 PM, Henrik Karlsson <Henrik.Karlsson@generic.se> wrote:
Hi,
I need to log the Dial-In users Password and I wonder if it is possible to do that in a freeRADIUS server?
yes, if the user uses pap.
And for CHAP, you can log CHAP-Challenge and CHAP-Response. Those values are sufficient to be able to tell afterwards whether the user used a given password or not. (i.e. you can test "did they use password '123456'"?) You can also make a dictionary attack to try to determine what password they used, which will often succeed if it's a simple password.
Henrik Karlsson wrote:
I need to log the Dial-In users Password and I wonder if it is possible to do that in a freeRADIUS server? I’m using freeRadius and MySQL server to store information such as userinfo and traffic logs.
Please use the correct list. First you emailed the list owner, and now the devel list. Questions about the server belong on the freeradius-users list. As for logging the password, yes, it's possible. You just configure the server to log it. Alan DeKok.
participants (4)
-
Alan DeKok -
Brian Candler -
Fajar A. Nugraha -
Henrik Karlsson