Lockout by IP number?

David B Funk dbfunk at engineering.uiowa.edu
Thu Sep 28 01:11:10 UTC 2023


There is an easy way to see all the attributes in the access-request that your 
client devices are throwing at the radius server. In the 
/etc/raddb/sites-enabled/instance-name (where instance name is your active site 
definition file, by default it's "default") find the line that looks like:

         #  If you want to have a log of authentication requests,
         #  un-comment the following line.
#        auth_log

remove that '#' in-front of the 'auth_log' entry and restart your radiusd.
It will generate a "auth-detail" file in a directory (one for each 
NAS/AP/client-device) and log all the attributes in each request packet it 
Warning, protect those auth-detail files from prying eyes. If you're using an 
auth mechanism that uses clear-text passwords they may show up in those log 

You'll see entries like:

Sun May 28 00:54:31 2023
         Packet-Type = Access-Request
         User-Name = "abcd13 at hah.blah.uiowa.edu"
         NAS-Port = 460
         EAP-Message = 0x020a0021016c2d75627533313340424c55452e656e67722e75696f77612e656475
         Message-Authenticator = 0xc0b56abc5883afca699d1c4386d156cb
         Acct-Session-Id = "8O2.1x81d086a20001fdd3"
         NAS-Port-Id = "ge-8/0/14.0"
         Calling-Station-Id = "c8-5a-cf-06-9e-34"
         Called-Station-Id = "5c-5e-ab-73-e7-00"
         NAS-Identifier = "x-sc100"
         NAS-Port-Type = Ethernet
         NAS-IP-Address =
         Huntgroup-Name = "juniper-dot1x-client-BLAH"

Depending on exactly what your infrastructure is, you may be disappointed.
If your 'client devices' are things like a NAS or wireless-AP then the IP 
addresses you will see are of the client devices themselves not the users behind 
them. (in a "EAPoL" type infrastructure the end users devices do not yet have a 
visible IP address).

On Wed, 27 Sep 2023, Ann Cantelow wrote:

> Hello,
> I am looking to implement a lockout for excessive login tries. I have been following advice offered at https://wiki.freeradius.org/guide/lockout , and thank you very much for that. Is there a variable like '%{User-Name}' for IP number? I would like to do a lockout based on IP number as well as User-Name. I see the IP is listed in the radius log, but I haven't been able to find an attribute that I figure will give this information. I've looked in the dictionary files, but maybe I've somehow missed it.
> My radius version is 2.1.12 on RHEL6, and client nastype is cisco. Radius upgrade to version 3 is planned.
> Radius log example lines showing ip numbers:
> ...
> Wed Sep 27 11:29:13 2023 : Auth: Login incorrect: [edc] (from client [clientname] port 212271104 cli
> Wed Sep 27 11:29:14 2023 : Auth: Login incorrect: [edc] (from client [clientname] port 86839296 cli
> Wed Sep 27 11:29:16 2023 : Auth: Login incorrect: [qazwsx] (from client [clientname] port 241688576 cli
> Wed Sep 27 11:29:17 2023 : Auth: Login incorrect: [qazwsx] (from client [clientname] port 166244352 cli
> ...
> Many thanks,
> Ann Cantelow
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Dave Funk                               University of Iowa
<dbfunk (at) engineering.uiowa.edu>     College of Engineering
319/335-5751   FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin         Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

More information about the Freeradius-Users mailing list