[RADIATOR] Multiple auth failure handling
Jim Tyrrell
jim at scusting.com
Thu Jun 25 06:35:09 CDT 2009
Hi,
I have been looking at our accounting logs and realised that 50% of all
the radius traffic is authentication failures for a relatively small
number of users. I want to implement a solution to put the users into a
walled garden if they continue to fail and was thinking of somehow
logging failed auths to MySQL and using a handler such as:
<Handler Realm = blah.com>
ContinueWhileReject
<AuthBy LDAP2>
LDAP Stuff
</AuthBy>
<AuthBy SQL>
If user in SQL DB then auth and setup for walled garden with
session timeout
</AuthBy>
</Handler>
So if the session is reject it then checks against MySQL to see if the
user is in there, or in there X number of times and if so accept and
return attributes to put them into a walled garden.
Does this make sense? I have done some searching and other solutions
were generally using hooks and I want to avoid using my shoddy perl
skills if possible.
What would be the best way to get failed authentications into MySQL? I
could then either query for count of failed sessions or have a job on
the MySQL server to produce a table of top failing users.
Failing that I could just have a script on each radius server to get the
frequent users from the Radiator logs and put into a text file and then
have my 2nd authby look at this file but MySQL would give me more
flexibility and would be visible to support staff.
Thanks.
Jim.
More information about the radiator
mailing list