Disabling log entries for rejected users

Scott Lambert lambert at lambertfam.org
Fri Jan 15 00:24:38 CET 2016

On Thu, Jan 14, 2016 at 08:59:31AM +0100, Micha?? B wrote:
> Imagine two different situations about denied clients:
> 1. Technician has set wrong login or password on authenticated device. I 
> need messages in log, for debugging reason.
> 2. The user device has been blocked by administrator (no payment, or 
> something like that). The device is trying to authenticate every second, 
> filling radius logs with tons of unnecessary messages.
> I want to get rid of messages coming from situations like 2, but still 
> have messages from situations like 1.

I don't remove prohibited users from the authentication DB.  I just set
them to use IPs from a pool which NATs all web traffic to a webserver
whose error document is a page explaining that they are not authorized
to use the system for one of several possible reasons.  They get a link
to a customer portal where they can resolve the no payment situation and
a phone number to call if they don't think they have a billing issue.

It cuts way down on bad login attempts, and tends to lead to the
resolution of the underlying issue.  It's not a FreeRADIUS technical
solution, but it could help to achieve your goal of smaller logs. 

Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org

More information about the Freeradius-Users mailing list