I think what I'm seeing is just differences in versions, but wanted to get some expert opinions. I have an old Solaris system running radiusd: FreeRADIUS Version 3.0.11, for host sparc-sun-solaris2.11, built on Jul 14 2016 at 00:32:22 And a newly built Ubuntu system running the repo version radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Apr 14 2022 at 20:32:00 On the Solaris, in the logs, I see logs that look more or less like ``` Fri Sep 16 15:16:03 2022 : Auth: (2303098) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [jimmy] (from client all_ipv4 port 9910 cli 112.217.164.107) Fri Sep 16 15:16:12 2022 : Auth: (2303099) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [gemeaux] (from client all_ipv4 port 13949 cli 184.168.126.75) Fri Sep 16 15:16:14 2022 : Auth: (2303100) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [root] (from client all_ipv4 port 13932 cli 209.141.59.116) ``` On Ubuntu, I see less detail ``` Fri Sep 16 08:49:02 2022 : Auth: (0) Login OK: [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:01 2022 : Auth: (1) Login OK: [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:06 2022 : Auth: (2) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:10 2022 : Auth: (3) Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [bpadgett] (from client all_ipv4 port 0) ``` (those last two were me testing wrong info or blank) I am able to get the Packet-Src-IP-Address in msg_goodpass or msg_badpass, but I'm curious if there is a configuration I'm missing otherwise. The radiusd.conf used on Ubuntu is almost line for line identical since I used the Solaris config to build on. They both appear to have the same mods enabled and on the mods-available/detail and detail.log I don't see any differences. I know I can go with the msg_good/badpass option, I just want to make sure I'm not missing some crucial but simple option. The logging section of radiusd.conf: ``` log { destination = files colourise = yes file = ${logdir}/${name}.log syslog_facility = daemon # Log the full User-Name attribute, as it was found in the request. # # allowed values: {no, yes} # stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # auth = yes # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected # auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # auth_badpass = no auth_goodpass = no # The message when the user exceeds the Simultaneous-Use limit. # msg_denied = "You are already logged in - access denied" #msg_badpass = "testbad:%{Packet-Src-IP-Address}" #msg_goodpass = "testgood:%{Packet-Src-IP-Address}" } ``` Brantley Padgett The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints
On Sep 16, 2022, at 11:24 AM, Brantley Padgett via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I think what I'm seeing is just differences in versions, but wanted to get some expert opinions.
The server should behave mostly the same across all 3.x versions, so long as it's configured the same.
I have an old Solaris system running radiusd: FreeRADIUS Version 3.0.11, for host sparc-sun-solaris2.11, built on Jul 14 2016 at 00:32:22
And a newly built Ubuntu system running the repo version radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Apr 14 2022 at 20:32:00
On the Solaris, in the logs, I see logs that look more or less like ``` Fri Sep 16 15:16:03 2022 : Auth: (2303098) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [jimmy] (from client all_ipv4 port 9910 cli 112.217.164.107) Fri Sep 16 15:16:12 2022 : Auth: (2303099) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [gemeaux] (from client all_ipv4 port 13949 cli 184.168.126.75) Fri Sep 16 15:16:14 2022 : Auth: (2303100) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [root] (from client all_ipv4 port 13932 cli 209.141.59.116) ```
In general you shouldn't have wildcard clients for the entire internet. That's bad.
On Ubuntu, I see less detail ``` Fri Sep 16 08:49:02 2022 : Auth: (0) Login OK: [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:01 2022 : Auth: (1) Login OK: [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:06 2022 : Auth: (2) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:10 2022 : Auth: (3) Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [bpadgett] (from client all_ipv4 port 0) ``` (those last two were me testing wrong info or blank)
I am able to get the Packet-Src-IP-Address in msg_goodpass or msg_badpass, but I'm curious if there is a configuration I'm missing otherwise.
The messages have had some minor cleanup, but they're largely the same. The only difference is the the client IP in the logs. The IP was removed at some point. A quick check through the git history doesn't show exactly when it was done. So no, there's no configuration. Just some code change. Alan DeKok.
In general you shouldn't have wildcard clients for the entire internet. That's bad.
Preachin to the choir... but these were the crayons I was given. :-/
So no, there's no configuration. Just some code change.
Hooyah. That makes sense. The msg_good/badpass option works, I'll just have to update the fail2ban regex a little but that won't be any trouble. Thanks! Brantley Padgett The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints On Friday, September 16, 2022, 10:38:08 AM CDT, Alan DeKok <aland@deployingradius.com> wrote: On Sep 16, 2022, at 11:24 AM, Brantley Padgett via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I think what I'm seeing is just differences in versions, but wanted to get some expert opinions.
The server should behave mostly the same across all 3.x versions, so long as it's configured the same.
I have an old Solaris system running radiusd: FreeRADIUS Version 3.0.11, for host sparc-sun-solaris2.11, built on Jul 14 2016 at 00:32:22
And a newly built Ubuntu system running the repo version radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Apr 14 2022 at 20:32:00
On the Solaris, in the logs, I see logs that look more or less like ``` Fri Sep 16 15:16:03 2022 : Auth: (2303098) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [jimmy] (from client all_ipv4 port 9910 cli 112.217.164.107) Fri Sep 16 15:16:12 2022 : Auth: (2303099) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [gemeaux] (from client all_ipv4 port 13949 cli 184.168.126.75) Fri Sep 16 15:16:14 2022 : Auth: (2303100) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [root] (from client all_ipv4 port 13932 cli 209.141.59.116) ```
In general you shouldn't have wildcard clients for the entire internet. That's bad.
On Ubuntu, I see less detail ``` Fri Sep 16 08:49:02 2022 : Auth: (0) Login OK: [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:01 2022 : Auth: (1) Login OK: [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:06 2022 : Auth: (2) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [bpadgett] (from client all_ipv4 port 0) Fri Sep 16 09:15:10 2022 : Auth: (3) Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [bpadgett] (from client all_ipv4 port 0) ``` (those last two were me testing wrong info or blank)
I am able to get the Packet-Src-IP-Address in msg_goodpass or msg_badpass, but I'm curious if there is a configuration I'm missing otherwise.
The messages have had some minor cleanup, but they're largely the same. The only difference is the the client IP in the logs. The IP was removed at some point. A quick check through the git history doesn't show exactly when it was done. So no, there's no configuration. Just some code change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Brantley Padgett