Was a bit confused with this one. You can't actually use msg_goodpass and/or msg_badpass unless auth_goodpass and/or auth_badpass is set to "yes." Doing this DOES force logging of passwords. (Comments in radiusd.conf seem to confirm.) Did a bit more digging (ie. checked out source code and looked at it). It appears the functionality to log client IP (Calling-Station-Id) is already there -- you only need "auth = yes" in radiusd.conf enabled. Enabling "auth_badpass = yes" and/or "auth_goodpass = yes" and msg_goodpass/msg_badpass to include %{Calling-Station-Id} is not necessary. Specifically, there is a function in auth.c called auth_name() that is called during radlog_request(). This function will expand Calling-Station-Id for inclusion in the log message. It appears the actual NAS equipment I am using (Force10) just doesn't send a Calling-Station-Id; hence FreeRADIUS doesn't log it. Works fine with Cisco kit though. Mystery solved! -M On Sun, May 9, 2010 at 1:19 AM, Alan DeKok <aland@deployingradius.com> wrote:
Matt Hite wrote:
It looks like I can possibly enable auth_badpass and auth_goodpass in radiusd.conf and then set:
msg_goodpass = "%{Calling-Station-Id}" msg_badpass = "%{Calling-Station-Id}"
Yes.
Is this going about it the right way?
Yes.
Also, I really don't want the failed passwords to get logged. (I don't want to see my colleagues plain-text passwords.) If I do use the aforementioned technique, am I also going to see passwords? I'm guessing yes.
No. See "auth_badpass" and "auth_goodpass" configuration items. If they're set to "no", passwords are not logged.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html