Radius users state

Sudarshan Soma sudarshan12s at gmail.com
Tue Sep 16 14:03:33 CEST 2008


Hi Ivan, Please see my quick queries inline. I will read more on this
and will let you know, meanwhile if you think iam starting in
completely wrong way, please advise.

On Tue, Sep 16, 2008 at 3:45 PM,  <tnt at kalik.net> wrote:
> First a few basic things. Are you using a very old version of the server?
> If you are, unlang is not going to work. If you are not, don't use
> Auth-Type Local and User-Password but Cleartext-Password as per
> instructions in users file.
[Pavan]
I was trying with older Radius Server (1.series)

>
> You can't pass priv level in Reply-Message. You need to consult your NAS
> documentation to see how it's done. It's usually passed in vendor
> specific attributes like Cisco avpairs.
[Pavan]
YES Agreed. I plan to add such attributes specific to my NAS.
>
>>/ets/raddb/users have first entry for each user with correct passwd,
>>followed by wrong passwd(kept it as regular expression *)
>>
>>xyz Auth-Type := Local , User-password = "xyz"
>>            Reply-Message = "successfull level(2)."
>>
>>xyz Auth-Type := Reject , User-password =~ "*"
>>           Reply-Message = "Invalid passwd for xyz(level 2)."
>>
>
> You don't need regexp there. If user entries with passwords weren't
> matched it means that password is - wrong. No need to check for that.
[Pavan]
If NAS has a requirement that
- user with privilage level > 2 should not be locked on 4 consecutive
invalid attempts.
In this case i need the privilage level even if authentication fails
to determine if he can be locked or not.

Is this the correct way to do this?
-- Does maintaining a database of users invalid attemtps count in NAS
make sense
-- Does the above entry look like an invalid/inconsistent entry.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list