How to Reject User During Authentication

Selahattin Cilek selahattin_cilek at hotmail.com
Fri Aug 11 13:02:17 CEST 2017


Hi.

I have one FreeRADIUS 2.2.9 server running in a student dorm. The server depends on MySQL as its backend. There is also a .NET application I have written to manage and monitor the "raddb" database, which I have customised to suit their needs.

All has been going well for about 6 months. But the dorm director has run into a problem today. There are only a handful of students staying in the dorm. All others are on vacation. Using the .NET application, the director has found out that some students log in to the network using the credentials of some other students that are away. Apparently, they share passwords with fellow students. But the director cannot let that happen. It is against the law to use some other person's credentials to gain access to services, and it does not matter if there is consent. It is very much like lending your passport to a friend. So he asked me to come up with a way to prevent that from happening again.

Since we can't just delete the missing students from the database,  I decided to append another field to an existing database table that I use to keep track of network usage (table: usage, column: locked). I also made changes to the .NET application to make it possible for the director to "lock" those users that are away. When a user's "locked" field is set to 1, the "datacounter_auth.sh" script detects this and does not authorise him.

So what is the problem? The problem is that "datacounter_auth.sh" is executed *after* the user is authenticated. What I would like to do is to prevent a locked user from ever passing the authentication phase, because the system logs that as a valid login. We can't let that happen either because the law stipulates that we keep an accurate log of user logins.

So my question is: How can I make authentication fail using an SQL statement *even if* the user provides valid credentials?

Good luck and good day.





[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>      Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>


More information about the Freeradius-Users mailing list