Help desk support of authn/authz failures? Logging detailed messages to SQL?
Jason Antman
jantman at oit.rutgers.edu
Tue Sep 27 15:50:37 CEST 2011
We've rolled out FreeRADIUS as the authentication and authorization
server for our University-wide WLAN with 30,000+ users. Our help desk
(general IT, not wireless-specific) support staff is made up of student
workers, with full-time second-level support and us sysadmins/wireless
engineers for third-level support.
As we've rolled out WPA2 and the supplicants give no useful information
about authentication failures to end-users, our help desk is being
inundated with "help, I can't login" calls. We do auth logging to MySQL.
Help desk staff are not given access to our authentication servers, so
our current solution is to use lots of unlang config kludge in
authorize{} to defer any notfound or reject module responses
(configurable failover), then use if statements to check the actual
return of the module. If it's a "bad" user (notfound, reject, etc.) we
set a locally-defined string attribute (control:Reject-Reason) and then
reject the user, and Post-Auth Type Reject logs to SQL including that
string reason. Which is then accessible in a read-only web tool for the
help desk.
1) How do other people - specifically organizations with a help desk
large enough that they're distinctly separate from anyone with enough
privs to tail a log file - handle user support of authentication failures?
2) This is proving problematic with users who have EAP
misconfigurations, empty LDAP passwords, etc. that only manifest as a
module failure and only show up in the log file. I've been considering
patching the relevant modules to add/update an attribute on failure,
since currently AFAIK this information is only available in the log
file, and not anywhere that I can include in the SQL post-auth log. Has
anyone else done anything similar? Or is more detailed module failure
information accessible through something that I haven't been able to
find in the docs?
Thanks for any advice/insights,
Jason
--
Jason Antman
System Administrator
Rutgers University
OIT Central Systems & Services / NetOps
Office: 732-445-6363
Cell: 732-983-7256
jantman at oit.rutgers.edu
More information about the Freeradius-Users
mailing list