[RADIATOR] Multiple auth failure handling

Jim Tyrrell jim at scusting.com
Thu Jun 25 06:35:09 CDT 2009


Hi,

I have been looking at our accounting logs and realised that 50% of all 
the radius traffic is authentication failures for a relatively small 
number of users.  I want to implement a solution to put the users into a 
walled garden if they continue to fail and was thinking of somehow 
logging failed auths to MySQL and using a handler such as:

<Handler Realm = blah.com>
    ContinueWhileReject
    <AuthBy LDAP2>
        LDAP Stuff
    </AuthBy>
    <AuthBy SQL>
         If user in SQL DB then auth and setup for walled garden with 
session timeout
    </AuthBy>               
</Handler>

So if the session is reject it then checks against MySQL to see if the 
user is in there, or in there X number of times and if so accept and 
return attributes to put them into a walled garden.
Does this make sense?  I have done some searching and other solutions 
were generally using hooks and I want to avoid using my shoddy perl 
skills if possible.

What would be the best way to get failed authentications into MySQL?  I 
could then either query for count of failed sessions or have a job on 
the MySQL server to produce a table of top failing users.

Failing that I could just have a script on each radius server to get the 
frequent users from the Radiator logs and put into a text file and then 
have my 2nd authby look at this file but MySQL would give me more 
flexibility and would be visible to support staff.

Thanks.

Jim.


More information about the radiator mailing list