(RADIATOR) Authentication Failure Messages

DUFOUR Geoffrey Geoffrey.DUFOUR at staff.win.be
Tue Sep 30 05:45:37 CDT 2003


Hello,

We need to keep authentication failure information in our database. This
can of course be done with <AuthLog SQL>.

To make it simple, let's say that we have to handle things like an
account status (Active or Blocked) in the authentication process. This
can be easily done by :

AuthSelect select ... from ACCOUNT where USERNAME=%0 and STATUS =
'Active'

But if someone with correct Usr/Psw but blocked RADIUS account tries to
connect, it will of course result in the "No such user" failure message
instead of some dedicated failure message such as "Account Blocked".

We could handle the Account Status check using check items and
AddToRequest parameter instead of using AuthSelect and then get
"dedicated" failure messages, but for other cases it is not that simple.

Ex.:

- For one account (usr/psw), multiple service subscriptions based on the
NAS-Port-Type attribute of the Access-Request and resulting in different
reply attributes.

- Accounts should be bound to several Access Servers (RADIUS clients).

We can handle this with proper data model and AuthSelect parameter but
we need dedicated authentication failure messages (ex : "No subscription
for this service" and "Not allowed from this NAS") in case of correct
Usr/Psw.

I don't know much about PostAuthHook but I guess it may be the solution.

Any suggestions ?

Regards.

Geoffrey
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list