Ann, There is an easy way to see all the attributes in the access-request that your client devices are throwing at the radius server. In the /etc/raddb/sites-enabled/instance-name (where instance name is your active site definition file, by default it's "default") find the line that looks like: # If you want to have a log of authentication requests, # un-comment the following line. # auth_log remove that '#' in-front of the 'auth_log' entry and restart your radiusd. It will generate a "auth-detail" file in a directory (one for each NAS/AP/client-device) and log all the attributes in each request packet it receives. Warning, protect those auth-detail files from prying eyes. If you're using an auth mechanism that uses clear-text passwords they may show up in those log files. You'll see entries like: Sun May 28 00:54:31 2023 Packet-Type = Access-Request User-Name = "abcd13@hah.blah.uiowa.edu" NAS-Port = 460 EAP-Message = 0x020a0021016c2d75627533313340424c55452e656e67722e75696f77612e656475 Message-Authenticator = 0xc0b56abc5883afca699d1c4386d156cb Acct-Session-Id = "8O2.1x81d086a20001fdd3" NAS-Port-Id = "ge-8/0/14.0" Calling-Station-Id = "c8-5a-cf-06-9e-34" Called-Station-Id = "5c-5e-ab-73-e7-00" NAS-Identifier = "x-sc100" NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.24.46 Huntgroup-Name = "juniper-dot1x-client-BLAH" Depending on exactly what your infrastructure is, you may be disappointed. If your 'client devices' are things like a NAS or wireless-AP then the IP addresses you will see are of the client devices themselves not the users behind them. (in a "EAPoL" type infrastructure the end users devices do not yet have a visible IP address). On Wed, 27 Sep 2023, Ann Cantelow wrote:
Hello,
I am looking to implement a lockout for excessive login tries. I have been following advice offered at https://wiki.freeradius.org/guide/lockout , and thank you very much for that. Is there a variable like '%{User-Name}' for IP number? I would like to do a lockout based on IP number as well as User-Name. I see the IP is listed in the radius log, but I haven't been able to find an attribute that I figure will give this information. I've looked in the dictionary files, but maybe I've somehow missed it.
My radius version is 2.1.12 on RHEL6, and client nastype is cisco. Radius upgrade to version 3 is planned.
Radius log example lines showing ip numbers:
... Wed Sep 27 11:29:13 2023 : Auth: Login incorrect: [edc] (from client [clientname] port 212271104 cli 62.122.184.231) Wed Sep 27 11:29:14 2023 : Auth: Login incorrect: [edc] (from client [clientname] port 86839296 cli 62.122.184.231) Wed Sep 27 11:29:16 2023 : Auth: Login incorrect: [qazwsx] (from client [clientname] port 241688576 cli 62.122.184.231) Wed Sep 27 11:29:17 2023 : Auth: Login incorrect: [qazwsx] (from client [clientname] port 166244352 cli 62.122.184.231) ...
Many thanks, Ann Cantelow
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{