auth = yes logs too much, auth = no too little
Hi All, I would like to log failed login attempts, so I can see the username that was tried. Is there a simple way to do this? Setting auth=yes in radiusd.conf also logs all successful attempts. So basically, I'd like to see lines like this one: Mon Sep 24 13:24:16 2018 : Auth: (34876) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client unifi port 0 via TLS tunnel) but not Mon Sep 24 13:15:03 2018 : Auth: (34866) Login OK: [username] (from client unifi port 123456789 cli 00-00-11-22-33-44) Any suggestions on how to achieve this or something similar would be much appreciated. Not directly related, but somewhat: When auth=no is set, and a login fails (be it due to a wrong username, or wrong passphrase), I get the following in the log: Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: This means you need to read the PREVIOUS messages in the debug output Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: to find out the reason why the user was rejected Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: what went wrong, and how to fix the problem And that's all! There are *no previous* messages. There four lines are all that I get. I assume this means that something on my side is misconfigured, like an "if all else fails, reject" kind of statement? Thanks for the help! Cheers HC
On Sep 27, 2018, at 2:59 AM, Hans-Christian Esperer <hc@hcesperer.org> wrote:
I would like to log failed login attempts, so I can see the username that was tried. Is there a simple way to do this? Setting auth=yes in radiusd.conf also logs all successful attempts.
Yes, that's the way it works, unfortunately.
So basically, I'd like to see lines like this one: Mon Sep 24 13:24:16 2018 : Auth: (34876) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client unifi port 0 via TLS tunnel)
but not Mon Sep 24 13:15:03 2018 : Auth: (34866) Login OK: [username] (from client unifi port 123456789 cli 00-00-11-22-33-44)
Any suggestions on how to achieve this or something similar would be much appreciated.
Source code changes.
Not directly related, but somewhat: When auth=no is set, and a login fails (be it due to a wrong username, or wrong passphrase), I get the following in the log:
Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: This means you need to read the PREVIOUS messages in the debug output Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: to find out the reason why the user was rejected Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you Mon Sep 24 13:24:16 2018 : Info: (34877) eap_peap: what went wrong, and how to fix the problem
And that's all! There are *no previous* messages. There four lines are all that I get.
Those are really debugging messages. They shouldn't be in the log file. I'll go fix that
I assume this means that something on my side is misconfigured, like an "if all else fails, reject" kind of statement?
No. It means that the users password was wrong, or something else caused them to be rejected. The PEAP state machine still continues after the *inner* session has been rejected. This message is from a subsequent packet, and from the outer session. Alan DeKok.
On Thu, Sep 27, 2018 at 07:08:50AM -0400, Alan DeKok wrote:
So basically, I'd like to see lines like this one: Mon Sep 24 13:24:16 2018 : Auth: (34876) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client unifi port 0 via TLS tunnel)
but not Mon Sep 24 13:15:03 2018 : Auth: (34866) Login OK: [username] (from client unifi port 123456789 cli 00-00-11-22-33-44)
Any suggestions on how to achieve this or something similar would be much appreciated.
Source code changes.
Would you accept a patch for that? Deprecate the auth= setting in favor of auth_successful, auth_failure? Cheers HC
On Sep 27, 2018, at 8:55 AM, Hans-Christian Esperer <hc@hcesperer.org> wrote:
Would you accept a patch for that?
We'll accept patches for minor new features.
Deprecate the auth= setting in favor of auth_successful, auth_failure?
We can't deprecate functionality that people use. *Adding* functionality is OK. But changing or deleting existing functionality can't be done in v3. Alan DeKok.
On Thu, Sep 27, 2018 at 08:59:01AM -0400, Alan DeKok wrote:
Deprecate the auth= setting in favor of auth_successful, auth_failure?
We can't deprecate functionality that people use.
With deprecate I mean "still support unchanged", but mark as "will go away some time in the future" But sure, simply adding auth_successful and auth_failure would work also, even though it might confuse some users because it'd overlap with the auth= setting HC
On Sep 27, 2018, at 9:01 AM, Hans-Christian Esperer <hc@hcesperer.org> wrote:
With deprecate I mean "still support unchanged", but mark as "will go away some time in the future"
We're re-visiting all of this in v4. So much of the logging is already deprecated.
But sure, simply adding auth_successful and auth_failure would work also, even though it might confuse some users because it'd overlap with the auth= setting
I would say instead to log by packet types, it's a little clearer: auth - turn on *all* logging for accept/reject auth_accept - turn on logging only for accept auth_reject - tuen on logging only for reject It should be a relatively tiny patch. Alan DeKok.
On Sep 27, 2018, at 9:12 AM, Alan DeKok <aland@deployingradius.com> wrote:
I would say instead to log by packet types, it's a little clearer:
auth - turn on *all* logging for accept/reject auth_accept - turn on logging only for accept auth_reject - tuen on logging only for reject
It should be a relatively tiny patch.
I've pushed a fix to the v3.0.x branch. Please test and check that it does what you want. We'd like to release 3.0.18 soon. Alan DeKok.
Hi again, On Thu, Sep 27, 2018 at 09:23:57AM -0400, Alan DeKok wrote:
On Sep 27, 2018, at 9:12 AM, Alan DeKok <aland@deployingradius.com> wrote:
auth - turn on *all* logging for accept/reject auth_accept - turn on logging only for accept auth_reject - tuen on logging only for reject
It should be a relatively tiny patch.
I've pushed a fix to the v3.0.x branch. Please test and check that it does what you want. We'd like to release 3.0.18 soon.
Deployed, configured and checked: works as intended. Thanks again! HC
On Thu, 2018-09-27 at 08:59 +0200, Hans-Christian Esperer wrote:
I would like to log failed login attempts, so I can see the username that was tried. Is there a simple way to do this? Setting auth=yes in radiusd.conf also logs all successful attempts.
You could configure linelog to log details you want and call it in the Post-Auth-Type REJECT section. It'll get login attempts that complete but fail. It won't log attempts where e.g. the EAP process stops half way through. -- Matthew
participants (3)
-
Alan DeKok -
Hans-Christian Esperer -
Matthew Newton