reject reason logged in radius.log. Possible?
Daniele Albrizio
albrizio at univ.trieste.it
Thu Jun 14 10:48:22 CEST 2012
I recently set up a banned mac address database to reject authentication
from proved compromised clients.
I'd like to have a significant record in freeradius logfile for
connection debugging reasons.
Ways I use to implement this results in ambiguous "Invalid user" or
"Login incorrect" misleading messages in radius.log .
Users are in effect valid and correct, but their equipment is not.
Does anybody know how this scenario can be improved?
-----------
Relevant lines of default virtual server authorize section are:
authorize {
if ( "%{Calling-Station-Id}" =~ /([a-fA-F0-9]{2}.?){6}/ && "%{sql:
SELECT 1 FROM callingstidbanlist WHERE mac='%{Calling-Station-Id}'}" ==
1 ) {
update reply {
# Select ban reason from radgroupreply Port-Message attribute
related to the ban group
Reply-Message := "Access forbidden from this terminal ( %{sql:
SELECT value FROM radgroupreply WHERE attribute = 'Port-Message' AND
groupname IN (SELECT bangroup FROM callingstidbanlist WHERE mac =
'%{Calling-Station-Id}' ) ; } ) ."
}
#update control {
# Auth-Type := Reject
#}
# Line in radius.log:
# Auth: Login incorrect: [myusername] (from client wall1-wigate1
port 122 cli 00-1C-CC-C3-C7-1A)
reject
# Line in radius.log:
# Auth: Invalid user: [myusername] (from client wall1-wigate1 port
122 cli 00-1C-CC-C3-C7-1A)
}
}
--
Daniele ALBRIZIO - albrizio at univ.trieste.it
Tel. +39-040.558.3319
UNIVERSITY OF TRIESTE - Network Services
Divisione V - Infrastrutture e Servizi Informativi
via Alfonso Valerio, 12 I-34127 Trieste, Italy
Sezione Infrastrutture Informatiche e Telematiche
More information about the Freeradius-Users
mailing list