Lockout by IP number?

David B Funk dbfunk at engineering.uiowa.edu
Thu Sep 28 01:58:28 UTC 2023

Again, depending on your infrastructure, that attribute: Calling-Station-Id
may be a useful ID (EG: MAC address) of the end user device.
In that case you may be able to make a filter using that.

Also for FR v2 you need to be sure you've enabled the 'detail.log' module and 
that 'auth_log' entry needs to go in the 'authorize {' section.

On Wed, 27 Sep 2023, David B Funk wrote:

> Ann,
> There is an easy way to see all the attributes in the access-request that 
> your client devices are throwing at the radius server. In the 
> /etc/raddb/sites-enabled/instance-name (where instance name is your active 
> site definition file, by default it's "default") find the line that looks 
> like:
>        #  If you want to have a log of authentication requests,
>        #  un-comment the following line.
> #        auth_log
> remove that '#' in-front of the 'auth_log' entry and restart your radiusd.
> It will generate a "auth-detail" file in a directory (one for each 
> NAS/AP/client-device) and log all the attributes in each request packet it 
> receives.
> Warning, protect those auth-detail files from prying eyes. If you're using an 
> auth mechanism that uses clear-text passwords they may show up in those log 
> files.
> You'll see entries like:
> Sun May 28 00:54:31 2023
>        Packet-Type = Access-Request
>        User-Name = "abcd13 at hah.blah.uiowa.edu"
>        NAS-Port = 460
>        EAP-Message = 
> 0x020a0021016c2d75627533313340424c55452e656e67722e75696f77612e656475
>        Message-Authenticator = 0xc0b56abc5883afca699d1c4386d156cb
>        Acct-Session-Id = "8O2.1x81d086a20001fdd3"
>        NAS-Port-Id = "ge-8/0/14.0"
>        Calling-Station-Id = "c8-5a-cf-06-9e-34"
>        Called-Station-Id = "5c-5e-ab-73-e7-00"
>        NAS-Identifier = "x-sc100"
>        NAS-Port-Type = Ethernet
>        NAS-IP-Address =
>        Huntgroup-Name = "juniper-dot1x-client-BLAH"
> Depending on exactly what your infrastructure is, you may be disappointed.
> If your 'client devices' are things like a NAS or wireless-AP then the IP 
> addresses you will see are of the client devices themselves not the users 
> behind them. (in a "EAPoL" type infrastructure the end users devices do not 
> yet have a visible IP address).
> On Wed, 27 Sep 2023, Ann Cantelow wrote:
>> Hello,
>> I am looking to implement a lockout for excessive login tries. I have been 
>> following advice offered at https://wiki.freeradius.org/guide/lockout , and 
>> thank you very much for that. Is there a variable like '%{User-Name}' for 
>> IP number? I would like to do a lockout based on IP number as well as 
>> User-Name. I see the IP is listed in the radius log, but I haven't been 
>> able to find an attribute that I figure will give this information. I've 
>> looked in the dictionary files, but maybe I've somehow missed it.
>> My radius version is 2.1.12 on RHEL6, and client nastype is cisco. Radius 
>> upgrade to version 3 is planned.
>> Radius log example lines showing ip numbers:
>> ...
>> Wed Sep 27 11:29:13 2023 : Auth: Login incorrect: [edc] (from client 
>> [clientname] port 212271104 cli
>> Wed Sep 27 11:29:14 2023 : Auth: Login incorrect: [edc] (from client 
>> [clientname] port 86839296 cli

Dave Funk                               University of Iowa
<dbfunk (at) engineering.uiowa.edu>     College of Engineering
319/335-5751   FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin         Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

More information about the Freeradius-Users mailing list