I have the following sql in my sql conf file and this is working. My only gripe is if there is no info provided then what gets placed in the log. It appears in the case of User-Password that a default of Chap-Password is entered as per below. Does anyone have a list of attributes I can log on failed attempts and the structure for the SQL statement. Eg %{reply:Reply-Message} quite often gives me "=5Cr=5CnYou are already logged in - access denied=5Cr=5Cn=5Cn" whereas I obviously only need the statement you are already logged in. I assume that an attribute followed by :- means to place what follows in the event of no data provided. Looking for lots of clarification here. postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date, callingid) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Reply-Message}', NOW(), '%{Calling-Station-Id}')" Thanks Cory
Cory Robson wrote:
I have the following sql in my sql conf file and this is working.
My only gripe is if there is no info provided then what gets placed in the log. It appears in the case of User-Password that a default of Chap-Password is entered as per below.
G'day Cory, In CHAP, the password never goes over the wire (which is its so-called benefit - I think "Challenge-Response Authentication Protocol" would make for a more appropriate acronym), so freeradius has no idea what the end user entered, only that the challenge-response process failed. Chap-Password indicates this. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
Only problem though is I only use PAP. I'm more interested in the syntax of the sql logs though. -----Original Message----- From: freeradius-users-bounces+cory=cmi.net.au@lists.freeradius.org [mailto:freeradius-users-bounces+cory=cmi.net.au@lists.freeradius.org] On Behalf Of James Wakefield Sent: Wednesday, 24 January 2007 11:39 AM To: FreeRadius users mailing list Subject: Re: log failed logins Cory Robson wrote:
I have the following sql in my sql conf file and this is working.
My only gripe is if there is no info provided then what gets placed in the log. It appears in the case of User-Password that a default of Chap-Password is entered as per below.
G'day Cory, In CHAP, the password never goes over the wire (which is its so-called benefit - I think "Challenge-Response Authentication Protocol" would make for a more appropriate acronym), so freeradius has no idea what the end user entered, only that the challenge-response process failed. Chap-Password indicates this. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ NOD32 2000 (20070123) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com
Cory Robson wrote:
Does anyone have a list of attributes I can log on failed attempts and the structure for the SQL statement.
No, because the list of attributes depends on what the NAS sends, and on your local configuration. Some modules add Module-Message, but not all do.
Eg %{reply:Reply-Message} quite often gives me "=5Cr=5CnYou are already logged in - access denied=5Cr=5Cn=5Cn" whereas I obviously only need the statement you are already logged in.
I assume that an attribute followed by :- means to place what follows in the event of no data provided.
Yes. See doc/variables.txt
Looking for lots of clarification here.
postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date, callingid) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Reply-Message}', NOW(), '%{Calling-Station-Id}')"
Failed authentications are logged to radius.log. See rad_authlog() in src/main/auth.c for what it logs, and what may be available. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Cory Robson -
James Wakefield