Log IP address (Calling-Station-Id?) of failed authentication attempts

Matt Hite lists at beatmixed.com
Mon May 10 06:59:56 CEST 2010

Was a bit confused with this one. You can't actually use msg_goodpass
and/or msg_badpass unless auth_goodpass and/or auth_badpass is set to
"yes." Doing this DOES force logging of passwords. (Comments in
radiusd.conf seem to confirm.)

Did a bit more digging (ie. checked out source code and looked at it).
It appears the functionality to log client IP (Calling-Station-Id) is
already there -- you only need "auth = yes" in radiusd.conf enabled.
Enabling "auth_badpass = yes" and/or "auth_goodpass = yes" and
msg_goodpass/msg_badpass to include %{Calling-Station-Id} is not

Specifically, there is a function in auth.c called auth_name() that is
called during radlog_request(). This function will expand
Calling-Station-Id for inclusion in the log message.

It appears the actual NAS equipment I am using (Force10) just doesn't
send a Calling-Station-Id; hence FreeRADIUS doesn't log it. Works fine
with Cisco kit though.

Mystery solved!


On Sun, May 9, 2010 at 1:19 AM, Alan DeKok <aland at deployingradius.com> wrote:
> Matt Hite wrote:
>> It looks like I can possibly enable auth_badpass and auth_goodpass in
>> radiusd.conf and then set:
>> msg_goodpass = "%{Calling-Station-Id}"
>> msg_badpass = "%{Calling-Station-Id}"
>  Yes.
>> Is this going about it the right way?
>  Yes.
>> Also, I really don't want the failed passwords to get logged. (I don't
>> want to see my colleagues plain-text passwords.) If I do use the
>> aforementioned technique, am I also going to see passwords? I'm
>> guessing yes.
>  No.  See "auth_badpass" and "auth_goodpass" configuration items.  If
> they're set to "no", passwords are not logged.
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list