Antw: Re: EAP-PWD with wrong password

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Wed Sep 26 10:55:27 CEST 2018


I thought about a lot getting "at least something" logged in radius.log, 
when as user TRIES/STARTS to do a Request with EAP-PWD.....

I came up with this and perhaps someone can use this as some kind of base idea  for logging ....

The idea behind this is: Find the stage in the whole EAP-PWD-thing where the server sends his last packet (Challenge)
and is waiting for the client who never answers. Log this.
So, if there is noch Second Log Line with Auth:OK you can see at least "User X tried/begun to use EAP-PWD"

First you need a policy to "identify" the "stage":

logpwdtry {
	if  (&request:EAP-Type && &request:EAP-Type == "PWD") {
		if (&EAP-Message) {
			if (&EAP-Message =~  /^0{1}x{1}[a-f0-9]{10}0{1}([123]{1})[a-f0-9]{1,}$/ ) {
					#We are in the PWD-Exch-Commit
					if ("%{1}" == "2") {
						linelogpwd
						
					}
			}
		}
	}
}


Call the policy in default in Auth-Type eap:

Auth-Type eap {
		eap {
		    handled = 1
		}
		logpwdtry
	}



Have a linelog instance "linelogpwd" like that:

linelog linelogpwd {
	filename = ${logdir}/radius.log
	escape_filenames = no
	permissions = 0600
	format = "This is a log message for %{User-Name}"
	reference = "messages.%{%{reply:Packet-Type}:-default}"
	messages {
		default = "Unknown packet type %{Packet-Type}"
		Access-Accept = "Accepted user: %{User-Name}"
		Access-Reject = "Rejected user: %{User-Name}"
		#THIS IS THE LOG-MESSAGE- Perhaps something like this:
		Access-Challenge = "%t : Auth: (%n) Login TRY: [%{User-Name}] (from client %{Client-Shortname} port %{NAS-Port} cli %{Calling-Station-Id})  EAP-Type:%{EAP-Type} / Sent challenge to client ... Waiting ..."
		
	}
}


Suggestions for improvement are welcomed :-)

Ciao Anja




>>> Alan Buxey <alan.buxey at gmail.com> 13.09.2018 13:37 >>>
hi,

Maybe the RFC can be expanded?
>

good luck with that . ;-)


> It's still a new one and  I think, a lot of people would be happy about
> that
> and would happily deploy EAP-PWD in their eduroam environments ... ;-)
> It's never too late....
>
>
whilst the number of clients that support it is low...that didn't stop us -
what did was the
backend requirements and a move to EAP-TLS anyway - along with our
deployment tools not supporting
EAP-PWD for auto-configuration of correct settings on the clients that
COULD do EAP-PWD
(measured on one fish hand....)

[as for EAP-FASTv2 ...... do any of the standard makers even consider how
to bootstrap the requiring
support ecosystem do these things actually get used in large scales and
enterprise environments???]

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list