Logging ONLY failed authentication and not correct?

Bjørn Mork bjorn at mork.no
Sat Dec 31 12:11:23 CET 2005


Matt <mhoppes at gmail.com> writes:

> #1 Is there a way to log only incorrect logins in radius.log and to
> ignore correct logins (so as to not fill up the log file)?

Not currently AFAIK, but adding this should be easy.  See the function
rad_authlog() in src/main/auth.c

A new configuration variable, e.g. log_auth_good, could be added to
src/main/mainconfig.c.  I guess it should probably go in the "log"
subsection if you're modifying CVS HEAD, or otherwise in the main
section. 

> #2 When I do get a login incorrect right now I get:
> Auth: Login incorrect (rlm_chap: Clear text password not available):
> [username at host.com/<CHAP-Password>] (from client blah.host.com port
> 2912 cli xxxxxxxxxxx)
>
> Is there anyway to get the chap password that the user entered to show
> up.. or is there no way to do the reverse encryption?

That's the point of chap: you don't get the clear text password over
the wire.  So there is no way for neither the NAS nor the radius
server to guess what the user entered.  Disable chap if this is a
problem for you (but be aware that doing so might deny a few users who
refuse to use pap for some reason).


Bjørn




More information about the Freeradius-Users mailing list